General
-
Target
ZmU2ZGYw.exe
-
Size
959KB
-
Sample
230523-t8talaha8w
-
MD5
41687e58130c8bdca248e1403e565afb
-
SHA1
6eda5da62e5073a67ff89dd89b85328dd2df73d1
-
SHA256
fef1f9664fde9b23754c691b15a05fdc35a51a0ceb8a18fb9a5a0166e6377c69
-
SHA512
6cd670e5f14a8d6fa1b5894a89cfe514d403f3f8dc82be9c83f86345be72d218844cd3f8c1c045deae6a292796d6d280efe49c8de724abda038c522407a14cde
-
SSDEEP
24576:TLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Pjrc2So1Ff+B3k796W
Static task
static1
Behavioral task
behavioral1
Sample
ZmU2ZGYw.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ZmU2ZGYw.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
ZmU2ZGYw.exe
-
Size
959KB
-
MD5
41687e58130c8bdca248e1403e565afb
-
SHA1
6eda5da62e5073a67ff89dd89b85328dd2df73d1
-
SHA256
fef1f9664fde9b23754c691b15a05fdc35a51a0ceb8a18fb9a5a0166e6377c69
-
SHA512
6cd670e5f14a8d6fa1b5894a89cfe514d403f3f8dc82be9c83f86345be72d218844cd3f8c1c045deae6a292796d6d280efe49c8de724abda038c522407a14cde
-
SSDEEP
24576:TLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Pjrc2So1Ff+B3k796W
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-