General

  • Target

    2024-02-25_e6c711e9e99daf9d4b2bd783a41f4c46_darkside

  • Size

    148KB

  • Sample

    240225-1w649aeb8y

  • MD5

    e6c711e9e99daf9d4b2bd783a41f4c46

  • SHA1

    75d56beb4a588ffd5f7e78fce6ae4ad42450fbb4

  • SHA256

    f0db0d23b83b54d8a565f8e9bd66b4ae7be8b2f8efffc471b6e5ef95298376e8

  • SHA512

    5cb2ed283a37354f25727c5b4e1c3aa6b6c74d3adc45e28769170030ecbae34c8a1abfd409b91bfa5afcb0467b7e7d63f3f35d9cbc1b3d2318f5f00574813b94

  • SSDEEP

    3072:R6glyuxE4GsUPnliByocWep45bKdgalP34HBaJppN:R6gDBGpvEByocWe2pwbuaJr

Malware Config

Extracted

Path

C:\x6HpDuwdD.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 132254CBA560850B3BEDC209B1684821 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: €199.99 Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information! Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Extracted

Path

C:\x6HpDuwdD.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 132254CBA560850B986004746D40F635 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: €199.99 Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information! Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Targets

    • Target

      2024-02-25_e6c711e9e99daf9d4b2bd783a41f4c46_darkside

    • Size

      148KB

    • MD5

      e6c711e9e99daf9d4b2bd783a41f4c46

    • SHA1

      75d56beb4a588ffd5f7e78fce6ae4ad42450fbb4

    • SHA256

      f0db0d23b83b54d8a565f8e9bd66b4ae7be8b2f8efffc471b6e5ef95298376e8

    • SHA512

      5cb2ed283a37354f25727c5b4e1c3aa6b6c74d3adc45e28769170030ecbae34c8a1abfd409b91bfa5afcb0467b7e7d63f3f35d9cbc1b3d2318f5f00574813b94

    • SSDEEP

      3072:R6glyuxE4GsUPnliByocWep45bKdgalP34HBaJppN:R6gDBGpvEByocWe2pwbuaJr

    • Renames multiple (365) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks