lockbit

General

Target

022091772db14e763fcceeb462d150d1
Size

969KB
Sample

231229-yf1anadhal
MD5

022091772db14e763fcceeb462d150d1
SHA1

dcc81069eccf55b6b292fa0b284265c6af4c4e74
SHA256

b2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa
SHA512

67ac81a397f7e0c73167ead29a412e0d2f5e9d552f68059d431bbb8b04767d0783ea49bbedabe025331cc9067a3a959666765ccd7b88b16e28ca9ed5d53c131b
SSDEEP

24576:PbqIi4vsu1NQ9+aubOj+vCVCdN/4yMdkzkxwccmiF:DqIiW7Qoau174IkxwVD

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FCE1FD7644DB7C6D108666CEB475A4FD

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FCE1FD7644DB7C6D8B3F46C32A826DB0

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

- Target
  
  022091772db14e763fcceeb462d150d1
- Size
  
  969KB
- MD5
  
  022091772db14e763fcceeb462d150d1
- SHA1
  
  dcc81069eccf55b6b292fa0b284265c6af4c4e74
- SHA256
  
  b2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa
- SHA512
  
  67ac81a397f7e0c73167ead29a412e0d2f5e9d552f68059d431bbb8b04767d0783ea49bbedabe025331cc9067a3a959666765ccd7b88b16e28ca9ed5d53c131b
- SSDEEP
  
  24576:PbqIi4vsu1NQ9+aubOj+vCVCdN/4yMdkzkxwccmiF:DqIiW7Qoau174IkxwVD
Score

10^/10

lockbit discovery evasion persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2