Overview

overview

10

Static

static

10

a5434b72fa...bc.exe

windows7-x64

10

a5434b72fa...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5434b72fa80d4ed2bef826a36542dbc.exe

  • Size

    15.7MB

  • MD5

    a5434b72fa80d4ed2bef826a36542dbc

  • SHA1

    d4e3c16a2ffbfc3ed46adeea2f13d21edc332b85

  • SHA256

    e32dc551a721b43da44a068f38928d3e363435ce0e4d2e0479c0dfdb27563c82

  • SHA512

    f00307416dd0343a605b270dfb2915c50e794d6c56f5245f144a77b8d44a288e4a5da2e8cec8ec47050f71c3a01e8f52ca625bccabce4c119c977530b93f2a07

  • SSDEEP

    196608:DtigKrxQonhPMhfhJfBo1lcWxPclmBtGV7:AgK1QIZUHo2Kz27

Score
10/10
babadedalockbitcrypterdiscoveryevasionloaderpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: C761DC4A4171AB301C9FC46D3440DF21
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5434b72fa80d4ed2bef826a36542dbc.exe
    "C:\Users\Admin\AppData\Local\Temp\a5434b72fa80d4ed2bef826a36542dbc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
      "C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:516
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1236
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2976
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
    Filesize

    512B

    MD5

    fc30d60ff3c7afd0f380772d190175c3

    SHA1

    abfcb72acd6414595597e11209f6377be9c64045

    SHA256

    2f6cf4c409045e407ddb166d278fd3fdb7e7bc0bf4f5f9c0a7143204d4274814

    SHA512

    6c711eb0ad102696ecb2d996e1a35c1bd2378db9fe60488ca48e96b262660c5f0ee3cc8c92009bd3dc45d07ce81ae8aeeb0726733a38b135cde9caf19f087ee8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\Guide.pdf
    Filesize

    202KB

    MD5

    ba29594c18e5aa24a08a3733e4cb48f6

    SHA1

    c902f569b9e29618ee885a32bf785e6c9e7c45c3

    SHA256

    bba6086e816ecadd1adb342a3cb21c7a060ac6677696b2fd4d013f002a7715c4

    SHA512

    2f6802b4f1a242ecda4bb79e8ae9ce42d800352a756ab1b7951b7db5b6bfa59818b4cd8d22f5383d27b8c7a2ce7fa75fa2d120850060055ac9f2a37ed0b514f9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\qclp-2.3.dll
    Filesize

    417KB

    MD5

    aab2eaea197c30759ff1b50d37e77485

    SHA1

    93a9b16f4f3df4a6bfb18bcafce8847b6a471e2d

    SHA256

    6d232ac7f7d93436b14866a79e969b889a47871498e6cab2a790ee38f50143df

    SHA512

    2fdf19be9d31b5d9f56041efe49df5c7ed6d4be28a201ce42d6fe54d60d76f73c349b21a378b926f3f5b0e46338f814afe3e40d68813d082b5a2a10fd9c5428c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_banner.html
    Filesize

    490B

    MD5

    5d1f7da1c3d95020a0708118145364d0

    SHA1

    02f630e7ac8b8d400af219bd8811aa3a22f7186e

    SHA256

    d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

    SHA512

    6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_connect_to_data_no_mru.html
    Filesize

    1KB

    MD5

    20bbd307866f19a5af3ae9ebd5104018

    SHA1

    8e03c9b18b9d27e9292ee154b773553493df1157

    SHA256

    e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

    SHA512

    420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_connect_to_data_with_mru.html
    Filesize

    1KB

    MD5

    e6bc0d078616dd5d5f72d46ab2216e89

    SHA1

    f70534bb999bcb8f1db0cf25a7279757e794499f

    SHA256

    e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

    SHA512

    6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_landing.html
    Filesize

    720B

    MD5

    0a5b47256c14570b80ef77ecfd2129b7

    SHA1

    69210a7429c991909c70b6b6b75fe4bc606048ae

    SHA256

    1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

    SHA512

    5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_topstrip_no_mru.html
    Filesize

    659B

    MD5

    eced86c9d5b8952ac5fb817c3ce2b8ba

    SHA1

    3ca24e69df7a4b81f799527a97282799fcd3f1e2

    SHA256

    3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

    SHA512

    a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_topstrip_with_mru.html
    Filesize

    798B

    MD5

    cc4d8a787ab1950c4e3aac5751c9fcde

    SHA1

    d026a156723a52c34927b5a951a2bb7d23aa2c45

    SHA256

    13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

    SHA512

    e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\stylesheets\start_page.css
    Filesize

    2KB

    MD5

    f2ab3e5fb61293ae8656413dbb6e5dc3

    SHA1

    53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

    SHA256

    06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

    SHA512

    2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\stylesheets\start_page_landing.css
    Filesize

    282B

    MD5

    49617add7303a8fbd24e1ad16ba715d8

    SHA1

    31772218ccf51fe5955625346c12e00c0f2e539a

    SHA256

    b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

    SHA512

    9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
    Filesize

    1.0MB

    MD5

    2f894b06c3734d7f09c459325bfc1c11

    SHA1

    f1312b997d794df30ca21e68e7c1abe7f4160655

    SHA256

    ff324f468083359b23231b7251920a405c7d3a324b626ac78584e6c93ed90dec

    SHA512

    08d553730dd6db3b6a476847508e1f76f2a76fe22a0ab604a52ce0b211301b26f2f2c8b01df6b9b2d2b32709b7f8c17e48fd1fe111a028034febf989c72a1dfb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
    Filesize

    469KB

    MD5

    9a9dc0257d67676fbb00e8a695b30cb8

    SHA1

    b73e98886ce65b20efcee559c2ec88ea89dadc50

    SHA256

    deff6b6c3355db668899e6e83d543c9f10451186df95aa46ef90bf6f7394d683

    SHA512

    cc1ee43fde2651c5727132d360b5a91a4ccece2793dc2ad38154b88b34a6fbaa8d769f40bc4b2951244cdc80a8daad8c4f7393e31e2093454a8490b9630428ab

    Download Submit

  • \Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\qclp-2.3.dll
    Filesize

    355KB

    MD5

    a8df6c8bd7a2026aabcf1953b033f9b3

    SHA1

    11eb6993a1e354459e767bd0d39c8712b0701d27

    SHA256

    84def85d3b14459d2f70c98538ed439def8423f69cf87db092de49807b44af20

    SHA512

    230992a530b6e7f366ffc1b2033d1faef830912e6623fca523d2ddf7905517e05ee0f85cb012e80cdc2c8f59653aec9e4927e11cb5d4dfb2c62aef72b7a5c4e3

    Download Submit

  • \Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
    Filesize

    1.2MB

    MD5

    711174e385c25521c7f199f9531d93a7

    SHA1

    cd496714286dbae7b9c98facbf034b3fdb697edb

    SHA256

    bc897878b676326f1117e891db6b88d1681005191422bb383c471198ff5e2822

    SHA512

    7f1b2529c63cbf0af45a97e68bb8edb461af7cd9b2bec2fcaf8b358a941533956f2c2568c817565cb096d9de38c86db612c6a50928fb28ad427553f28e5594c5

    Download Submit

  • memory/2196-322-0x0000000000400000-0x0000000000A55000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2236-318-0x00000000032C0000-0x0000000003915000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2236-319-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download