General
-
Target
NCdDbuXe.ps1
-
Size
201KB
-
Sample
230711-fnxkmaed45
-
MD5
b64c41db5b29735f315f31b4d6bae0f6
-
SHA1
177a66f297a34e21dd528deebe4fc20102802d74
-
SHA256
62e3da334ba291209b9cd8bb9bdd7eafabc8dd185c7b6cb5bc063155d7c87c18
-
SHA512
a916af75b1d3f69b0eca9e99c6a0bd5dbcdeaa4ea6297bac7286378d2b46bc20d075cd45623c47dd323a941ce966d9512d11fa6070b501596d13b443fb6e3afa
-
SSDEEP
3072:cioCO6E2ns7VYRckQO0KNLJpZuUPuIUoNrf2zCBjPpaWbdZ0aK3B7rO97/lZ:c1Mn4YRQO0sJp5G9a+CBrBx97/lZ
Static task
static1
Behavioral task
behavioral1
Sample
NCdDbuXe.ps1
Resource
win10v2004-20230703-en
Malware Config
Extracted
C:\fg1nrax2U.README.txt
lockbit
https://twitter.com/hashtag/lockbit?f=live
https://tox.chat/download.html
Targets
-
-
Target
NCdDbuXe.ps1
-
Size
201KB
-
MD5
b64c41db5b29735f315f31b4d6bae0f6
-
SHA1
177a66f297a34e21dd528deebe4fc20102802d74
-
SHA256
62e3da334ba291209b9cd8bb9bdd7eafabc8dd185c7b6cb5bc063155d7c87c18
-
SHA512
a916af75b1d3f69b0eca9e99c6a0bd5dbcdeaa4ea6297bac7286378d2b46bc20d075cd45623c47dd323a941ce966d9512d11fa6070b501596d13b443fb6e3afa
-
SSDEEP
3072:cioCO6E2ns7VYRckQO0KNLJpZuUPuIUoNrf2zCBjPpaWbdZ0aK3B7rO97/lZ:c1Mn4YRQO0sJp5G9a+CBrBx97/lZ
Score10/10-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (734) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-