General

  • Target

    2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside

  • Size

    148KB

  • Sample

    240225-wf48haad5t

  • MD5

    cd7d7812314f54d00bd58b2992e2c266

  • SHA1

    225d4a29632b516b9a4a109f866b3e90e6269c8d

  • SHA256

    b14a55a5dbc52dc58ee5447ced1caaac304e77aca7b5805a25456e2c2338309f

  • SHA512

    a91bf135f00f2d67271a5d2aa8e6b9c65a58b5a3d10e83f30019e63d25eec44f9e9aa24cccde38f12a6be25fe26b7076ff13a1bf987f742d250f75945a2d9664

  • SSDEEP

    3072:h6glyuxE4GsUPnliByocWepkj1CHnAZRru:h6gDBGpvEByocWeG1W

Malware Config

Extracted

Path

C:\Huq5PATQS.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 0D935EF29325CDA2CA406BBBEBD7B6D9 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: €199.99 Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information! Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Extracted

Path

C:\Huq5PATQS.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 0D935EF29325CDA2FD159C531A1A3D37 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: €199.99 Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information! Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Targets

    • Target

      2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside

    • Size

      148KB

    • MD5

      cd7d7812314f54d00bd58b2992e2c266

    • SHA1

      225d4a29632b516b9a4a109f866b3e90e6269c8d

    • SHA256

      b14a55a5dbc52dc58ee5447ced1caaac304e77aca7b5805a25456e2c2338309f

    • SHA512

      a91bf135f00f2d67271a5d2aa8e6b9c65a58b5a3d10e83f30019e63d25eec44f9e9aa24cccde38f12a6be25fe26b7076ff13a1bf987f742d250f75945a2d9664

    • SSDEEP

      3072:h6glyuxE4GsUPnliByocWepkj1CHnAZRru:h6gDBGpvEByocWeG1W

    • Renames multiple (327) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks