Overview
overview
10Static
static
7samples4 (2).zip
windows7-x64
1samples4 (2).zip
windows10-2004-x64
1052012a941...00.exe
windows7-x64
1052012a941...00.exe
windows10-2004-x64
17005535e03...69.exe
windows7-x64
17005535e03...69.exe
windows10-2004-x64
1ab65ada82b...06.exe
windows7-x64
10ab65ada82b...06.exe
windows10-2004-x64
10b0f8ff9688...9a.exe
windows7-x64
1b0f8ff9688...9a.exe
windows10-2004-x64
1b3ed13c61b...f3.exe
windows7-x64
7b3ed13c61b...f3.exe
windows10-2004-x64
9lockbit.pyc
windows7-x64
3lockbit.pyc
windows10-2004-x64
3bf01d97d76...78.exe
windows7-x64
7bf01d97d76...78.exe
windows10-2004-x64
7c6d3a10c9c...75.exe
windows7-x64
1c6d3a10c9c...75.exe
windows10-2004-x64
1e81bfaf195...94.exe
windows7-x64
7e81bfaf195...94.exe
windows10-2004-x64
7hc9.pyc
windows7-x64
3hc9.pyc
windows10-2004-x64
3ee9f253360...85.exe
windows7-x64
3ee9f253360...85.exe
windows10-2004-x64
7f0c2927859...a6.exe
windows7-x64
7f0c2927859...a6.exe
windows10-2004-x64
9Main.pyc
windows7-x64
3Main.pyc
windows10-2004-x64
3f2dcd2308c...87.exe
windows7-x64
3f2dcd2308c...87.exe
windows10-2004-x64
3f89ee06ed2...6f.exe
windows7-x64
10f89ee06ed2...6f.exe
windows10-2004-x64
10General
-
Target
samples4 (2).zip
-
Size
42.6MB
-
Sample
240101-szxe8afha8
-
MD5
9b57ef7e531dfa8a0e22d741ace7d11f
-
SHA1
f8dd7cd98c4ae3c49e6ee85ad94265d661ecdad3
-
SHA256
27ee59c2aa3a020f2966d4946845edf9449e9f2e2ce5fdccbfe31fb2ba5d69d7
-
SHA512
2cd6dec3f56b656aaa2638b90d6fb61a005d1bd9304d2bb37b0f344ab699d4061beaaaf8d208e175b3ff9528d634a730d2be8731510342a4f731166877da45bb
-
SSDEEP
786432:9nEppsCB2TE+tUUHqsX5ATG6NtJiGoI341+dC16tzO1Zi43ktj386ChLc654jZUZ:9EQCB2T7BF5AjJiEdvY3ZhLd4lYB
Behavioral task
behavioral1
Sample
samples4 (2).zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
samples4 (2).zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
052012a941d98920e0fed58649ccfa3b092344630d366889678fa94a26ecc300.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
052012a941d98920e0fed58649ccfa3b092344630d366889678fa94a26ecc300.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ab65ada82bc55b7fb26b76eb5ed2e38ae19ff9b76c3693026f782e9f170e1706.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
ab65ada82bc55b7fb26b76eb5ed2e38ae19ff9b76c3693026f782e9f170e1706.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
b0f8ff9688e743ae2fcb54a39910d02bb7687ba6821321cfe2ed44499a7e2b9a.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
b0f8ff9688e743ae2fcb54a39910d02bb7687ba6821321cfe2ed44499a7e2b9a.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
b3ed13c61bfb6c80ff059cb8199d2c9ff457e05053f7301748e0605bd1fcd7f3.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
b3ed13c61bfb6c80ff059cb8199d2c9ff457e05053f7301748e0605bd1fcd7f3.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
lockbit.pyc
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
lockbit.pyc
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
c6d3a10c9cad46abc555e4f5d605eab6164756acf995c7d9d123c2b46fb62b75.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
c6d3a10c9cad46abc555e4f5d605eab6164756acf995c7d9d123c2b46fb62b75.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
e81bfaf195654662bf867c6be7115433e394a170e04f169558d294bbc93b3f94.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
e81bfaf195654662bf867c6be7115433e394a170e04f169558d294bbc93b3f94.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
hc9.pyc
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
hc9.pyc
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
ee9f2533600c091f246273960b5a2a1b7ceba7697edc5f23d4f6a980e7304485.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
ee9f2533600c091f246273960b5a2a1b7ceba7697edc5f23d4f6a980e7304485.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral25
Sample
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
Main.pyc
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
Main.pyc
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
f2dcd2308c18fdb56a22b7db44e60cdb9118043830e03df02dac34e4c4752587.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
f2dcd2308c18fdb56a22b7db44e60cdb9118043830e03df02dac34e4c4752587.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR LQEPJHGJCZO FILES.TXT
Extracted
C:\Program Files\instructions_read_me.txt
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Targets
-
-
Target
samples4 (2).zip
-
Size
42.6MB
-
MD5
9b57ef7e531dfa8a0e22d741ace7d11f
-
SHA1
f8dd7cd98c4ae3c49e6ee85ad94265d661ecdad3
-
SHA256
27ee59c2aa3a020f2966d4946845edf9449e9f2e2ce5fdccbfe31fb2ba5d69d7
-
SHA512
2cd6dec3f56b656aaa2638b90d6fb61a005d1bd9304d2bb37b0f344ab699d4061beaaaf8d208e175b3ff9528d634a730d2be8731510342a4f731166877da45bb
-
SSDEEP
786432:9nEppsCB2TE+tUUHqsX5ATG6NtJiGoI341+dC16tzO1Zi43ktj386ChLc654jZUZ:9EQCB2T7BF5AjJiEdvY3ZhLd4lYB
Score1/10 -
-
-
Target
052012a941d98920e0fed58649ccfa3b092344630d366889678fa94a26ecc300
-
Size
3.0MB
-
MD5
a813a7d9f0348c18c08a8830145360a4
-
SHA1
46da626125575610cdde9934536c1fdd52c05817
-
SHA256
052012a941d98920e0fed58649ccfa3b092344630d366889678fa94a26ecc300
-
SHA512
12e010129989aa48ca5e680767da776122c876e11d72f011efb8503843d03ec8debb81884ecef4512c64bdf9bae40001adc2c228ca6a640621dc22ecec559317
-
SSDEEP
98304:WpW5QJvhA07f09Glj6Cj6OtwTf9TpR3sE196i:JOL0cjTjNc
Score1/10 -
-
-
Target
7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069
-
Size
5.3MB
-
MD5
493640f022a7ac07ad4e8d6f2cd3740e
-
SHA1
4c4a1df308e415ab356d93ff4c5884f551e40cf5
-
SHA256
7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069
-
SHA512
d29b40298f00ba619a59f4aa7cec1bb1ec753df948b9fa50e7e158150ca21801783d701c8ed32a8e3811f138ad948b4077c8cf2b7da5b25917ec8eebe7435c26
-
SSDEEP
49152:U6q9fOpwcf1pHot9E4IaCf1kin7N0Iu1YES/N4ggvewaFSenC00qTQeVptYt1dmT:ofk3oC9n7N0Iu19SV4ISeLQevtYVmS
Score1/10 -
-
-
Target
ab65ada82bc55b7fb26b76eb5ed2e38ae19ff9b76c3693026f782e9f170e1706
-
Size
3.0MB
-
MD5
db812177bb05241d7c5f947eade0e619
-
SHA1
822422ced38c79a13f7daacb1703fff2a78cd7ac
-
SHA256
ab65ada82bc55b7fb26b76eb5ed2e38ae19ff9b76c3693026f782e9f170e1706
-
SHA512
d91e16b1f6f157388d10c86deed8030b0b03ac48026bffe7b6847997601b6a37120e60a3b47e684a877b5d4d2906358d66066233f82951457ab093dd77cfba88
-
SSDEEP
49152:5exoHxm0o5IBo6sjdJKvhwK+/UDhyHVu07EwallsC3U:5+UD2Vu9li4
Score10/10-
Renames multiple (4486) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application
-
-
-
Target
b0f8ff9688e743ae2fcb54a39910d02bb7687ba6821321cfe2ed44499a7e2b9a
-
Size
3.2MB
-
MD5
f1031a188e6970d4fb633cccfd95db24
-
SHA1
b180b8fe1b371d3e06e22d06cbbb0e6b31cb4393
-
SHA256
b0f8ff9688e743ae2fcb54a39910d02bb7687ba6821321cfe2ed44499a7e2b9a
-
SHA512
d26fc043e568bc89b424895229102c9b1a9250061acafd85824c299e678c96085bc3f710d3d3e21750c03be072997bd61b24b5d5dd2356bc3c464ccac6356e85
-
SSDEEP
49152:ClDhkJlNe8e32UVJDAQ4iZMo5zqxWVu+21Gh5J:aC98zqxWI0h
Score1/10 -
-
-
Target
b3ed13c61bfb6c80ff059cb8199d2c9ff457e05053f7301748e0605bd1fcd7f3
-
Size
15.5MB
-
MD5
4dc869e513c2dbabaf84d05e360c121d
-
SHA1
e353efeff34187704a09a4d4426c8831dcc0275a
-
SHA256
b3ed13c61bfb6c80ff059cb8199d2c9ff457e05053f7301748e0605bd1fcd7f3
-
SHA512
90ef3295fe50632e57a3a4dc292fc831381414a404b31fbb60430206834bf71f06205ef15ec7cf2c633b3afd0f4e85f4d711af9a7ddc447c0d796d44d43cf4ca
-
SSDEEP
393216:YTXarpNAbXCpT9c5hlER2/m3pg/A2hSJ7V2iYumy5WM1NX:sovAgZEhk2Kg/A2hSJ7UiYhy5l
Score9/10-
Clears Windows event logs
-
Modifies boot configuration data using bcdedit
-
Renames multiple (1017) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
lockbit.pyc
-
Size
18KB
-
MD5
b98150eee419a3d3221c2076848e2788
-
SHA1
b8146b6183b3b19de9edd813191321095709d015
-
SHA256
33b3b726fc789a25c4f5f4882dc10c3b84147297852f9141a5ac5bb67926a265
-
SHA512
03e9d2184c39f47ccee3bb8d88dcdd8ec3332ced79c6b5352f387cdf0baee0a962be45fabc3d4ea7c130776f598c16c4e24b77208dc64016f8fdff60cb2906cc
-
SSDEEP
384:Cl1OW4CmRsERB3J7X+PxpRJs8wDXOnlZHtw+9wmFEh2ppuvy7Kl+:AY7X3APxTJszglVtGGE43nH
Score3/10 -
-
-
Target
bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78
-
Size
3.8MB
-
MD5
7c3a6e3b8468a9ce9aa21b8afc140473
-
SHA1
9f2bae4257e6509e7aa467a623786a0c0b10a8c8
-
SHA256
bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78
-
SHA512
df1172cdecbdfafe76db72244fa1b20ac5cca40ac596ae6157d1784c2890d5198bfbeba243a05a13e550ef3429f05670c065f2fc281f90df7973fe4e042e00e6
-
SSDEEP
98304:D7YlmkAB4MGZEmWAqG26XQ3hOeMP+pgODgRJCMwWtca4EOKKv1GeE2nMJrOlaN60:6YB4M4tjeHw4CnBvMB1rtbfhORKkf4CE
Score7/10-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
c6d3a10c9cad46abc555e4f5d605eab6164756acf995c7d9d123c2b46fb62b75
-
Size
2.9MB
-
MD5
44f42dc610bc34e6ba9ec11cb6651948
-
SHA1
f69c7a8a06582309a4020b1f3c11efcb3307d3d9
-
SHA256
c6d3a10c9cad46abc555e4f5d605eab6164756acf995c7d9d123c2b46fb62b75
-
SHA512
1f99c42645b2374e848f9c0dbf23573033364cf1898ba0031eff65e25d45585acb4691e3223fbdbe5cc465f4a5714d98bfcb6539185bf37b4d537d18a9cf1a3b
-
SSDEEP
49152:3mer6a3OsA3P+SJfWDzG5nEm6oPTVSi2pg0B7B:3HP3OP32SJODqKiJ/v0tB
Score1/10 -
-
-
Target
e81bfaf195654662bf867c6be7115433e394a170e04f169558d294bbc93b3f94
-
Size
2.6MB
-
MD5
362138a2faea93e59c8fb010f1481ef5
-
SHA1
e8ccfa8b4a2810a2c163bf9308ba0b9b47318dc6
-
SHA256
e81bfaf195654662bf867c6be7115433e394a170e04f169558d294bbc93b3f94
-
SHA512
62bb9ee592b9c98305eb783f5db55ebd36629d2ddad209190188b57a0ccbaf6d789adcdef1badd7a4dd039f74b1131dd35754135ab086f356846cdf98aa6e360
-
SSDEEP
49152:CT2NkLn3tayOFhpvrnq3Y0O6OooDKU1+V5MDexWepFC83JnxpICoca+w6DW1+i6x:/NkLn3tayIhBrqoRerU1+XMETZ8es+iI
Score7/10-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
hc9.pyc
-
Size
7KB
-
MD5
9909cbd45aef2d49c7a3c037e67e5a34
-
SHA1
69d1fc7080d834b2c580e7f01f9d80a764c098bd
-
SHA256
57883596f57d8f9d1bc0cf9bd6551065f00152fac1e38348ad65a03c229bf59c
-
SHA512
a48a8f5dea0d32fb1b98226bdee98e9429f82a2d98bc3235779caff21d53c07eb37dc723589812e87e9337c58eb5e3e89dd7411b3ede616dccae027d9467e122
-
SSDEEP
192:9JnpNAgcb2ryFLkzuPTO+er/Gd9vnSj6fZWCaCXWTzQwbKOuOv0Cb83vNTjwfQ69:9JpN1cb2r8AzuPTO7r/8vng6fZtaMWTl
Score3/10 -
-
-
Target
ee9f2533600c091f246273960b5a2a1b7ceba7697edc5f23d4f6a980e7304485
-
Size
2.6MB
-
MD5
586d9e5d8a90301b494e833d36302383
-
SHA1
360f1ec8899f3a8cc13f9b78e8688ef77089f4fe
-
SHA256
ee9f2533600c091f246273960b5a2a1b7ceba7697edc5f23d4f6a980e7304485
-
SHA512
8b37094e7677ed91f7d5471d680f6d6e5f2273e61271bb2ec6a661aac3db7957841e0a11807926cba53aa2c4261e179dd3dabddaabdf9a7a1ff81e6973467043
-
SSDEEP
49152:j5pM0HdHHl43vRA9sX78IuPCUns2zkqhw/W8M3UNXFOrSnj940a7MZGz+T:g09He3pA9srju6UnsFd/WR3U5FOrSnj9
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6
-
Size
7.0MB
-
MD5
3beee8d7f55cd8298fcb009aa6ef6aae
-
SHA1
672a992ea934a0cba07ca07b80b62493e95c584d
-
SHA256
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6
-
SHA512
12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f
-
SSDEEP
196608:gUWfTu5s5E6s6eLL1mkJ2Z9Jq5dOYo+SJVTXOD0ch:gUWfTuK5E6s6sBmKk9JMo5/eN
Score9/10-
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
Main.pyc
-
Size
9KB
-
MD5
9004917f87d6ca40750dc0c1fadd1204
-
SHA1
628d03b5c518f392a87d4806f5c14adfd47cc68e
-
SHA256
2273f12abfb133e79bd86f15bae3c268fb11853b8add609fc8e581873091c55b
-
SHA512
edc60074a57187bba503f04b66b32c4c88ab4815c0a44822b9fe72851ca7dfec7091eb2cd9067a905765d3c73783174aec85c90504bd0b535b2a739d53086580
-
SSDEEP
192:fBV58NRchh3C6iKZyN0194tcmGw/n5AlhvMTPEZp:fBb8wbCVlltzGHn
Score3/10 -
-
-
Target
f2dcd2308c18fdb56a22b7db44e60cdb9118043830e03df02dac34e4c4752587
-
Size
3.0MB
-
MD5
3d9d35e36761c7be729f254de5f5c307
-
SHA1
96963e5186d8e18d9f9ddb9203478e6a60bfce39
-
SHA256
f2dcd2308c18fdb56a22b7db44e60cdb9118043830e03df02dac34e4c4752587
-
SHA512
1d581ce569d92258b3519ff3b072a13d5962a258232bad377a15e6b7f53bd9eeb21e6516c26eff3296131188aec8dbf17970fba3fb54691ccd389367a0dfdd51
-
SSDEEP
49152:D+PVhR1b4NrzHJ9UJzJcFO0QP7UFZjaMQ7zAAAHJAF/VvOAI8TJ:Swu5bMQ7zAAAHJAtVvOA
Score3/10 -
-
-
Target
f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f
-
Size
4.8MB
-
MD5
80c4eabe7ca7200a3735cafe4246e43b
-
SHA1
f19ea1ca4c8e0ac88c25d5d433dca3413d17d2f9
-
SHA256
f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f
-
SHA512
d6db156fdf7b762295d03f8deb568e584c3d92952156142276f68d05e1a4c3bdaf541b2709ddd9630c6aee249e81d0537ad4e1fcc05f1170c2100cef83a3e11b
-
SSDEEP
49152:c5Yvom3XQQNrb/T5vO90dL3BmAFd4A64nsfJXL42r+S++UwP5VfvqmEw5EwHgrYD:F3ve2S+YBEqVHBCEhLRSm
Score10/10-
Clears Windows event logs
-
Stops running service(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Indicator Removal
4File Deletion
3Modify Registry
1