General

  • Target

    240224-2cs9qagf6v_pw_infected.zip

  • Size

    97KB

  • Sample

    240225-mvag1aaf8v

  • MD5

    ab14ad522014c4bd0b710d8fe4a5996b

  • SHA1

    35026a86be29161507dfddaa6e110420b2971295

  • SHA256

    e51155ce803bd9b96b91c822e41969c89e0c9e162aebc7643c23ed9489eb75b4

  • SHA512

    d6be06d567199dfef76b17503e9580776b1edf3c8340040e8fadd1a5b202ee84954fab58678e7a4581e4a9746e51f43842d5a7616018d343df601e5ca38b42c0

  • SSDEEP

    3072:GHz3VBGxh2CqEgIOH/boAWwKZE0ljVZ90+4Bgn3Q847:8Bc2CTsfJ0lTK+wgngV

Malware Config

Extracted

Path

C:\8O1xgE2fH.README.txt

Ransom Note
~~~ LockBit Black Ransomware Since 2024~~~ >>>> Your data are stolen and encrypted Price = 2000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: A3138014A48MK4D6D525F3F372263313 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Targets

    • Target

      2024-02-24_4fb4a10158fe5415e8e9468ec2d0dbbc_darkside

    • Size

      146KB

    • MD5

      4fb4a10158fe5415e8e9468ec2d0dbbc

    • SHA1

      095a4dd380e86c9d1e6ea0263368b908ee0e1d5d

    • SHA256

      b8c53972ca8e7c683183a34b5a4e17f04d9bca80d8d2e156e99fb8973d41f6b9

    • SHA512

      7092460ecf28dc9202481ba0849a8eb87cae92d9fff7b157e600ee219939d1bf7c534cd3a12ecab4c70e28c313a9f3413ae75398168aed8253147f3db5782b1e

    • SSDEEP

      3072:EqJogYkcSNm9V7DR9+kanoBQOvBEEnbNgT:Eq2kc4m9tDR9lhv+EnJ

    • Renames multiple (10119) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks