Analysis
-
max time kernel
162s -
max time network
171s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
30-01-2024 16:24
General
-
Target
lockbit_1.exe
-
Size
160KB
-
MD5
fdd9f9ae1d24dcc709cd0abcea638ed0
-
SHA1
2fe29b620b51d2258373b12d926a91d0a3720a60
-
SHA256
4134d5d8f7b038e23e7887db56bb3ad295341a1aaf0bebe6be21d901d06dd662
-
SHA512
db995ac8fa51a49e3b9550b0bb4069bbef08a9157d942cffcae24cabb720be01e17afffc9bfb54e95d4883adc6af27c5cb78291d408d0137591eff690669c3ef
-
SSDEEP
3072:5uJ9OlKolUa1U197bzhVsmftsoo4jE8AI8vOMvjEF0Q:5ufj0zi1dNVsmfttjY8LLej40Q
Malware Config
Extracted
C:\uQK11TJ9E.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lockbit_1.exe"C:\Users\Admin\AppData\Local\Temp\lockbit_1.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
-
C:\ProgramData\38DF.tmp"C:\ProgramData\38DF.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
-
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{91E8818A-21ED-4D2C-82C2-9D31C0D1E7FB}.xps" 1335110549313600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5101cf49eb0f732ac8ba17d12c32ae4f2
SHA13e4f5b8b77716204722656f2df15565422802597
SHA256e0773fc971c17e277770d328c399a371f6d97b4756c01fc2235201272b2fdcf0
SHA512376ad7502764cbf9791717544ba0faecc115da4f89c18acadd3347b014a2b0e57a203e400182f62632807a5485b9334a7ec5054d75aa0a62018dc2757099dda1
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
9.1MB
MD58800a17d7d518e13789fb9b0074e157f
SHA1d4a581a839a982ace1bc96a475088c593aca1505
SHA2563bd9a17c6feb95a062287b3adbbb4db91a3a5142bd5402c7c4e155224d454bb8
SHA5120039323ccedfac0006171ac77f7592c92a92fc199cc11721cd2b3153a0587513a5ee14c8388bddebb8928a42cf3ae2a6bbaef0eb58f6ba127895fa0eea775481
-
Filesize
160KB
MD5a920b5fc659d14b8c2f078da2253274f
SHA17f424c205dd5a8abe38fc693ef7552163a14b10b
SHA25621680b358f6cc786587cdf8d333f5a55e8366f887ba771388e90c8ef5b43f699
SHA51284640f45ff502a8b4f150747327ecad611fd0b8ddc5f03fef34f4fe711ab211a2ffe57e0460ada2d885cb889096d2cc5c2521a55c7f0308b26f9afcd06c87349
-
Filesize
10KB
MD55bf90e79772a2ac636743bfd5424d06e
SHA1954f2388df2f17b52a2fdf1f036e44acb0c4485c
SHA2568bff2e8d1504abc571aeb6c7ba26fb0cc85df0ded8d7d9b2c7cde39ab8e85cd2
SHA512e5a6d03f824fe3f8c79af9242d849a6506d1641829ce44dd139a2fb9e791fa96d64aad8ff7f56e096ba42fe0ff7f516f6c25a5ae3f2f503151b45e5c3d201200
-
Filesize
129B
MD56a7133e10bb6df233c693ca396687bc5
SHA10f5c239e90b03425b06a245fcbf2c3529a36a2fd
SHA2566521167b11e13725086de333bb3855fd5c742adffbfcf0834977f29daaf9089c
SHA5129f7c7711b061ba7685f8f238d9ef7239b2dbbee0dbc638893ade6a8d15a39d0d44643eb33d1e3ddfeddacef40e9ff63aad8bd7e82e76e8657d312290c2b8d7a4
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB