Overview

overview

10

Static

static

1

xhBTePmb.ps1

windows7-x64

10

xhBTePmb.ps1

windows10-2004-x64

10

xhBTePmb.ps1

windows11-21h2-x64

10

Resubmissions

23/12/2023, 23:48

231223-3ttr9aahgr 10

12/07/2023, 00:36

230712-ax75tsbc92 10

Analysis

  • max time kernel
    1561s
  • max time network
    1561s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2023, 23:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    xhBTePmb.ps1

  • Size

    204KB

  • MD5

    e9b595b99ac9d2c1615073b88164dccd

  • SHA1

    06b5c574a98e9a1fb822bde91d77505d53d36f83

  • SHA256

    fe9c9951dbfe19a8e8db02831e17e0ef31a8c522ffbd1e689f9545571853a70f

  • SHA512

    3b837153add08da65e1c4b1418b32565b2ba934ab4306badb5fc5dcc547b423e0e3f8c9c5387b0087119bba6a8b2b2deedb14b1318cfa14c1b0e15a6cc38a231

  • SSDEEP

    6144:SUxev1EfxTZQR9pzvr66jflWpO6RHjZkoyLs1/fH5ND:SYewQndveKwxRDZzYsBfzD

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\fg1nrax2U.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. >>>> Your personal DECRYPTION ID: 095A437114C72F35C02BD1E1D3374477 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser
URLs

https://twitter.com/hashtag/lockbit?f=live

https://tox.chat/download.html

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
  • Renames multiple (269) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xhBTePmb.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3s1e3ogp.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC889.tmp"
        3⤵
          PID:2660
      • C:\Users\Admin\AppData\Local\Temp\SOun56zW13QZ.exe
        SOun56zW13QZ.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\ProgramData\1EE6.tmp
          "C:\ProgramData\1EE6.tmp"
          3⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:1612
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1EE6.tmp >> NUL
      1⤵
        PID:2272
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x14c
        1⤵
          PID:2112

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\GGGGGGGGGGG
                Filesize

                129B

                MD5

                8ed4728196535d26a363628ab728d86c

                SHA1

                d86d5e1462673578193e67e94e59532ef89f5335

                SHA256

                df0722cde96d5146ed6da2b8ae0eb84c26acbdad5287e8e61c9825b81fcfe29c

                SHA512

                a7f97f7534586d14ecc75d0a7dce1c9eb446d648fb27ad6bc87f6b86d55276ea8b7f1c35d17096a7fc457643f381fbb07b830ca7933b706c6e6890b6a20b3932

                Download Submit

              • C:\ProgramData\1EE6.tmp
                Filesize

                14KB

                MD5

                294e9f64cb1642dd89229fff0592856b

                SHA1

                97b148c27f3da29ba7b18d6aee8a0db9102f47c9

                SHA256

                917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

                SHA512

                b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3s1e3ogp.dll
                Filesize

                4KB

                MD5

                8bb92d6185ebe06de8b3a37d8b7e31db

                SHA1

                f65d25e4832060cc4b307bba2d2cbf8532657946

                SHA256

                e82655d6d927d293c3bdbd891cff6d1c6ff8e5fb9d9156a1e3b2df623baeb068

                SHA512

                24773d0d715cc4c1c2a414fe0d35fd08ea5adbf6c29d5818ab9511f7bf190d18a5bb11f1e449f0ed07c83942432e81984adb26de7469d7767cd259c2ec21b402

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3s1e3ogp.pdb
                Filesize

                11KB

                MD5

                f2174aaecfe5bec8ba6a562c6bf87e24

                SHA1

                8ef97c5f698c932d83f086367ccf3d42f3eaf8b7

                SHA256

                34fa828fef1825f944c6004c8b7c8339e72ab696d43fd0b391afa4b42eca39bc

                SHA512

                0a41a304dc7e769381c74a2a48498c5db870acb9381c870e5eaf82bdb67b7407884754c2d683f632679d8b30f59c756e0c248d82cc1616f85201c7c13dea1fe6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD
                Filesize

                149KB

                MD5

                cc925506d0fe56f827c6dce3bde25a33

                SHA1

                081719dea109efe29ee55ab361c9561d16688907

                SHA256

                4437b68ff0b0520896caa8d8b09a9a880fb679b56ab32402193e499913adc6c3

                SHA512

                772e2d4763001087c35b1328036bc6711817a93a6cd84f10f1d89ad7f88ee7ce44fc2035aea744ee4874bd9308fccf3b80d8d2c1fb44f3f9162faee154cee618

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES88A.tmp
                Filesize

                1KB

                MD5

                f20c20d6e5a5691a6cebec6fd85f95e3

                SHA1

                84c0b04b8c72fe28e071fb4e7e2338651bc6c18c

                SHA256

                8bc14c8f4a0d7778c2c47e22cc499d55829a8550743940ed6cdc479f5e8073f4

                SHA512

                06dd85fbefdc2ba747720d0d8152bd2318747e829121f8c1adb997c02da0a3535b2c664cdea9cf548b89dd4f225adf7b58df094cfb7cfd3a34eeca04ab0c1def

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SOun56zW13QZ.exe
                Filesize

                136KB

                MD5

                898ba0d61733a847b1c0f19c313b6a35

                SHA1

                8ac8611ee823c721550f034c6e1ea91fd8a0b76b

                SHA256

                1aa150e9ac2fa40ae9ed00125de04185b8e171c8fbc9ab8096da32382ec7df01

                SHA512

                565e8d7e418cb8ea03fcc25421fbc9de8de61f8f1edc471b3ea0c6f2f7b5cb025489a1b9ac467d7afe3ceab01888773f41d35a9861e8efc811c7209ae2d32b07

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SOun56zW13QZ.exe
                Filesize

                149KB

                MD5

                734cee97a335632f53f4d325848efcd7

                SHA1

                941fe2aa7b799380020bda118d2f85892f52c3c7

                SHA256

                25f9e2bb5312f3ba8d593529546402d91460720239805502c8ce29582c922036

                SHA512

                01864dd4415bf56f78fd14adf157b307d5c36f888b59ec79a0174307e0d4ccb12cd5650f03e32108b83039da3875e76ded213286682ab0346be116d717bd178e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SOun56zW13QZ.exe
                Filesize

                149KB

                MD5

                f9f494984312089b882d0dcffee3d593

                SHA1

                b8c31e56036637742ecccd0f36b4a2e704b1af37

                SHA256

                75b748f2fab91f291c45695ba8f5856effd81bbed6de64186ea32cf383672fa4

                SHA512

                0c068ce38ff1f121f7fe57ebd55a8fd27ceeb64b63ae2301c88d845671849884db053ed90c71d937f6827a0b4fc99ff9b516aab6c63b036e10a1235ede8ba40b

                Download Submit

              • C:\fg1nrax2U.README.txt
                Filesize

                2KB

                MD5

                c63feb15094a7a8bf6bd8e7654f2beb8

                SHA1

                08e3b72cd6ce0b3f5569fed6658aca0e6acd9bc3

                SHA256

                ccb32ffda4fbb7d2c65ebfd4981bbbb66fd73c79eac2aa0a60c1ce2e2190b369

                SHA512

                194947859a44858761e59cd0311961bae0105e39f85b184682286ad8f0cb93acfa56b6e446c64efa0c2089978f6d9022b5da6d153236e433bbdc4d32a65bf174

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\SSSSSSSSSSS
                Filesize

                129B

                MD5

                e849f576b2bf30f00c4f90dec245cce6

                SHA1

                f60a468a16229de2f96c3cfe6393b7b9347a2547

                SHA256

                7026e3aaa8eee475c3fb55171a4a2d4f87e16d22ae43459420cd68e0307a5261

                SHA512

                5d16d863fcc20a02c5a34791582214d12deaddffa6832d4b7fa5ef1eaf55355e1280e881361e2054bb411db4dcc4398d8409fe8f0b9756a5de8e27a942051a48

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\3s1e3ogp.0.cs
                Filesize

                2KB

                MD5

                a484a625a1ac39f6bc6822fdaa5389ca

                SHA1

                5f9102a83ecdc1fe1320977e4d10fa5178a64b1a

                SHA256

                0070dbcfc3a0e878c896f34f6d4a929dc741bd8c51f359c3d08c76fb2d41501a

                SHA512

                fee8d999e864a91ddec3009ad91ebcdb3ad730de92b3b78bd9e3f0e3fd1c295123f23ae89d156aeffc185684bab5c41059c3ac033a893eb7e7500de016a0d548

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\3s1e3ogp.cmdline
                Filesize

                309B

                MD5

                27d378db78b94ab1fdfc3dbaaa59cfc7

                SHA1

                aa5824ee6338f0393cc75a26046ed7afa2a19d0e

                SHA256

                b44a988986784768db981c92ce26a4046669553043b49961c6ea22485f865fbd

                SHA512

                f25373c1205d42cf21ff2cfa09cf8ec84cc087229d48b221464983d74f0d4fba41910ee5e3d74acc1cb795d8358824d4a02e332f459a9d79896cc5374697d76e

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\CSC889.tmp
                Filesize

                652B

                MD5

                78154de37ce6f31861685de4ee3025a6

                SHA1

                e1d7febb91b8081b8bb399fb84640399ee87f78b

                SHA256

                841d4396e8012d0e20cd06295ce759ed68e8ad12731398b6ad23d10396143435

                SHA512

                b5fd9516be6d60331de44d2303678d3b919a32ac7235e736d61fc061f96335a507b2bede6ddcff3d837a213cf452c121ffa795b8a15a14a543a5864281bff9d0

                Download Submit

              • memory/1612-818-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-828-0x000000007EF80000-0x000000007EF81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-816-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1612-821-0x0000000000540000-0x0000000000580000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1612-826-0x0000000000540000-0x0000000000580000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1612-829-0x000000007EF20000-0x000000007EF21000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-851-0x000000007EF40000-0x000000007EF41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-852-0x000000007EF60000-0x000000007EF61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2612-39-0x00000000001E0000-0x0000000000220000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2848-4-0x000000001B640000-0x000000001B922000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2848-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2848-10-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2848-13-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2848-7-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2848-38-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2848-6-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2848-28-0x0000000002D00000-0x0000000002D08000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2848-5-0x0000000002860000-0x0000000002868000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2848-9-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                Filesize

                512KB

                Download