Overview

overview

10

Static

static

1

1d30c8ea61...7d.exe

windows7-x64

1

1d30c8ea61...7d.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    1d30c8ea61630a44351f29b209813275b5077a637a571d888e97398f8c24787d

  • Size

    965KB

  • Sample

    231012-fdbkeahg57

  • MD5

    0c2246bc569ddf7c9e93ccbf87aeb397

  • SHA1

    60e82a899f2c45866ca1123c057b4ccc5b79cc10

  • SHA256

    1d30c8ea61630a44351f29b209813275b5077a637a571d888e97398f8c24787d

  • SHA512

    a6f862c8db73c2460fd675a9bc8538a01fb3cbd983e890c10bd18fc2cfff23e90b88032fbed60ff29bd25354491676187a9df6053f369856ebcab15d6a852e73

  • SSDEEP

    12288:+sT4cgRdrEAzvHG4z/bEUZEPurHbNFKSEv0xt9:+sGRdrEAbm4z/bEUaPuD3Rw0xt9

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Pzkke1Qf6.README.txt

Ransom Note
Your computer has been infected with LockBit Ransomware. All of your files are encrypted using military grade encryption that can only be decrypted with a key that only I have. If you want your files and hard-drive back you will have to send '0.122' ($2,000 USD) bitcoin to the bitcoin wallet '1C4hJT5n1tSiGKWup67DAiJdVv6GhjdN7k'. After paying send a email to '[email protected]' with the first five digits of your bitcoin address or transaction ID and I will send you the key to decrypt your files. To prove that I am being sincere in decrypting your file I encourage you to contact me before paying so that you can know for sure that I am still active. So you can know I am able of decrypting your files you can also send me a encrypted file and I will decrypt for free. WARNING: If you do not pay within one week your files will be deleted I will sell all the information on your hard-drive on the dark web and send a email to your customers, clients, and associates letting them know about the data breach.
Wallets

1C4hJT5n1tSiGKWup67DAiJdVv6GhjdN7k

Targets

    • Target

      1d30c8ea61630a44351f29b209813275b5077a637a571d888e97398f8c24787d

    • Size

      965KB

    • MD5

      0c2246bc569ddf7c9e93ccbf87aeb397

    • SHA1

      60e82a899f2c45866ca1123c057b4ccc5b79cc10

    • SHA256

      1d30c8ea61630a44351f29b209813275b5077a637a571d888e97398f8c24787d

    • SHA512

      a6f862c8db73c2460fd675a9bc8538a01fb3cbd983e890c10bd18fc2cfff23e90b88032fbed60ff29bd25354491676187a9df6053f369856ebcab15d6a852e73

    • SSDEEP

      12288:+sT4cgRdrEAzvHG4z/bEUZEPurHbNFKSEv0xt9:+sGRdrEAbm4z/bEUaPuD3Rw0xt9

    Score
    10/10
    ransomware

    • Renames multiple (74) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks