General
-
Target
svhost.exe
-
Size
959KB
-
Sample
240213-b2ke1ahg94
-
MD5
f440c3ffa3e4b95a0efcd52b32b7fffc
-
SHA1
6fb5859662b82949adc484e366cdbf6ac441bceb
-
SHA256
3b0da3a5cf3f198873bec03fb4492d0b47c17552d966215e9ccf7a81ec45e1e9
-
SHA512
0f46735a971efdb4aab18357c2dfe75a03a0fca1ad52b189f0f01ecf4b43addd2f37c8d05dd71c5d249a0805ba5232d8ada6e1e34ebe8c5ea7dc0a94fc1ad788
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpd3F:Ujrc2So1Ff+B3k796x
Static task
static1
Behavioral task
behavioral1
Sample
svhost.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
svhost.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
svhost.exe
-
Size
959KB
-
MD5
f440c3ffa3e4b95a0efcd52b32b7fffc
-
SHA1
6fb5859662b82949adc484e366cdbf6ac441bceb
-
SHA256
3b0da3a5cf3f198873bec03fb4492d0b47c17552d966215e9ccf7a81ec45e1e9
-
SHA512
0f46735a971efdb4aab18357c2dfe75a03a0fca1ad52b189f0f01ecf4b43addd2f37c8d05dd71c5d249a0805ba5232d8ada6e1e34ebe8c5ea7dc0a94fc1ad788
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpd3F:Ujrc2So1Ff+B3k796x
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-