Analysis

  • max time kernel
    115s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2023, 19:32

General

  • Target

    a27b6bfb8e6aef454395cbab2bdf7cd1.exe

  • Size

    552KB

  • MD5

    a27b6bfb8e6aef454395cbab2bdf7cd1

  • SHA1

    4a60125f0964f4992471c37d606fb0fdb4d98eb6

  • SHA256

    8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c

  • SHA512

    5bf76dbfe740cfa7a78c65a9d51ecc0c120a828baa683a336b73cbb3b58ef2765759f186cd082adc04675c0bfe20c9b252074dadaa148ab67debc5ac74922d57

  • SSDEEP

    12288:F8ENlAKnykvnA6NkSo3wtfVx9Edm3pd4bOjxeEUYQc5aYWyQ0h75:SENlF4rRqfVxQGp7jN5aBWV5

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: B3ACB03C799627BB48577426AEDD78DA
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a27b6bfb8e6aef454395cbab2bdf7cd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a27b6bfb8e6aef454395cbab2bdf7cd1.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1684
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2700
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2776
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

    Filesize

    512B

    MD5

    8575439672cccc34f3f8a64bc31676b6

    SHA1

    ae91934ab355c33099e3448e8a317fb989f6d59a

    SHA256

    03ed6d27609b899446ed6fb4826286e36326e8e43c121e296e3bc4e32b977530

    SHA512

    5d12e5e9c13c462102bf7af1efdd857f92dd117587dfbc05a36fb126ec10fcd45906cf1f76e3e823c37fa89d094f785ab41c3e47ccc476372b234845f83aedb4

  • memory/2028-7747-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-3122-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-5814-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-6405-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-7746-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-75-0x0000000000300000-0x00000000003F1000-memory.dmp

    Filesize

    964KB

  • memory/2028-7748-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-7752-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-7755-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-7756-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-7757-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/2028-7758-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB