Analysis

  • max time kernel
    66s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2023, 12:17

General

  • Target

    8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c.exe

  • Size

    552KB

  • MD5

    a27b6bfb8e6aef454395cbab2bdf7cd1

  • SHA1

    4a60125f0964f4992471c37d606fb0fdb4d98eb6

  • SHA256

    8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c

  • SHA512

    5bf76dbfe740cfa7a78c65a9d51ecc0c120a828baa683a336b73cbb3b58ef2765759f186cd082adc04675c0bfe20c9b252074dadaa148ab67debc5ac74922d57

  • SSDEEP

    12288:F8ENlAKnykvnA6NkSo3wtfVx9Edm3pd4bOjxeEUYQc5aYWyQ0h75:SENlF4rRqfVxQGp7jN5aBWV5

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: B3ACB03C799627BB4283076ED921F299
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c.exe
    "C:\Users\Admin\AppData\Local\Temp\8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:676
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2948
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4364
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

    Filesize

    512B

    MD5

    76e5c3bdcef5b1aae6366faa15c3a7b4

    SHA1

    05332e9e250b92aeeca499805dd8a095010ae2b9

    SHA256

    59bfd73027c0db6dbac36ae6beb73754fdf6ffe58efd15b21e07c18ee67f9656

    SHA512

    a13fc63faa482eed5364b4034b9ae6466f80122bc3661da57071e418d23cc79620aadcb357792bca9d74d890d8fc11c236ce309e447c6a45e960ffcfe8b2efd2

  • memory/1324-63-0x0000000002090000-0x0000000002181000-memory.dmp

    Filesize

    964KB

  • memory/1324-2157-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-3565-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-4710-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-7499-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-7723-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-7724-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-7728-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-7729-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

  • memory/1324-7730-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB