Overview

overview

10

Static

static

10

a5434b72fa...bc.exe

windows7-x64

10

a5434b72fa...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5434b72fa80d4ed2bef826a36542dbc.exe

  • Size

    15.7MB

  • MD5

    a5434b72fa80d4ed2bef826a36542dbc

  • SHA1

    d4e3c16a2ffbfc3ed46adeea2f13d21edc332b85

  • SHA256

    e32dc551a721b43da44a068f38928d3e363435ce0e4d2e0479c0dfdb27563c82

  • SHA512

    f00307416dd0343a605b270dfb2915c50e794d6c56f5245f144a77b8d44a288e4a5da2e8cec8ec47050f71c3a01e8f52ca625bccabce4c119c977530b93f2a07

  • SSDEEP

    196608:DtigKrxQonhPMhfhJfBo1lcWxPclmBtGV7:AgK1QIZUHo2Kz27

Score
10/10
babadedalockbitcrypterdiscoveryevasionloaderpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: C761DC4A4171AB30B15E4855144278EE
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Users\Admin\Desktop\LockBit_Ransomware.hta

Ransom Note
Any attempts to restore your files with the thrid-party software will be fatal for your files! To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us There is only one way to get your files back: Through a standard browser Brave (supports Tor links) FireFox Chrome Edge Opera Open link - https://decoding.at/ Through a Tor Browser - recommended Download Tor Browser - https://www.torproject.org/ and install it. Open one of links in Tor browser and follow instructions on these pages: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or mirrorhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion/These links work only in the Tor browser! Follow the instructions on this page https://decoding.at may be blocked. We recommend using a Tor browser (or Brave) to access the TOR site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about All your stolen important data will be loaded into our blog if you do not pay ransom. Our blog http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion or https://bigblog.at where you can see data of the companies which refused to pay ransom.
URLs

https://decoding.at/

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or

https://decoding.at

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 5 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5434b72fa80d4ed2bef826a36542dbc.exe
    "C:\Users\Admin\AppData\Local\Temp\a5434b72fa80d4ed2bef826a36542dbc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
      "C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2560
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5092
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3848
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3524
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:304
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 1776
            4⤵
            • Program crash
            PID:4600
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1192
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1824
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F59245F8-FAEB-4BC0-ADC2-FFAFB1D4E134}.xps" 133533900230520000
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
            OfficeC2RClient.exe /error PID=2792 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
            3⤵
            • Process spawned unexpected child process
            • Suspicious use of SetWindowsHookEx
            PID:4712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 304 -ip 304
        1⤵
          PID:4240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\dotnet\Restore-My-Files.txt
          Filesize

          512B

          MD5

          1950ffdbbf7c6aa25bbab0a4dab7d2f2

          SHA1

          002d9c5c46971ab7e4388fb22c7253c7d504d4b7

          SHA256

          4349bb95519bf6ee4b3f28e059917d3a1cad2fb0fd6f54d8e2da706ed20c1476

          SHA512

          0045479fd22b73e062e5b48225957504ce8de439354d07fb7f015bbfdf8967f06545da56938801563f20bfc3c39edbf27f71ca104aa24818bdb3b89570225126

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\Guide.pdf
          Filesize

          2.5MB

          MD5

          413618ca437d7831df51303188cd207b

          SHA1

          85ea80cfb5db25c756da7ba5992665ea80aee560

          SHA256

          f2d0e13a6ec546f169d45ad5b62ced1bcc3a4e01ae6dc3666239defc959e2baa

          SHA512

          f70dab7aca530bd5013903e050bd974c8ad991c5d8d5ef8b5f6f4efba8acc6d37014b8bc63e3e73679a8229a9e33fd4c0ed3c8b6d5b9628a8735cb32210b30e6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\qclp-2.3.dll
          Filesize

          3.4MB

          MD5

          852ba853bb6e9fc1476a7907a17be760

          SHA1

          21ef22a3dd2e4b32fbe8f56b7d87510fd9529d5c

          SHA256

          b98b6b7e4ca7f5827d8d5cb34b39a3f4ca8c3dac5d7751d64876d944301084ff

          SHA512

          79bdc1fc374d2cb147237d5e34bc95ba1744ed111d1bd861c28124732e4c179442aec9f7b0ee33d65eef0c9e4eb939d3a5392b9f81cb518ce3ca47ccd86f6c12

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_banner.html
          Filesize

          490B

          MD5

          5d1f7da1c3d95020a0708118145364d0

          SHA1

          02f630e7ac8b8d400af219bd8811aa3a22f7186e

          SHA256

          d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

          SHA512

          6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_connect_to_data_no_mru.html
          Filesize

          1KB

          MD5

          20bbd307866f19a5af3ae9ebd5104018

          SHA1

          8e03c9b18b9d27e9292ee154b773553493df1157

          SHA256

          e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

          SHA512

          420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_connect_to_data_with_mru.html
          Filesize

          1KB

          MD5

          e6bc0d078616dd5d5f72d46ab2216e89

          SHA1

          f70534bb999bcb8f1db0cf25a7279757e794499f

          SHA256

          e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

          SHA512

          6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_landing.html
          Filesize

          720B

          MD5

          0a5b47256c14570b80ef77ecfd2129b7

          SHA1

          69210a7429c991909c70b6b6b75fe4bc606048ae

          SHA256

          1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

          SHA512

          5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_topstrip_no_mru.html
          Filesize

          659B

          MD5

          eced86c9d5b8952ac5fb817c3ce2b8ba

          SHA1

          3ca24e69df7a4b81f799527a97282799fcd3f1e2

          SHA256

          3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

          SHA512

          a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\html\startpage_topstrip_with_mru.html
          Filesize

          798B

          MD5

          cc4d8a787ab1950c4e3aac5751c9fcde

          SHA1

          d026a156723a52c34927b5a951a2bb7d23aa2c45

          SHA256

          13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

          SHA512

          e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\stylesheets\start_page.css
          Filesize

          2KB

          MD5

          f2ab3e5fb61293ae8656413dbb6e5dc3

          SHA1

          53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

          SHA256

          06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

          SHA512

          2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\res\public\en\stylesheets\start_page_landing.css
          Filesize

          282B

          MD5

          49617add7303a8fbd24e1ad16ba715d8

          SHA1

          31772218ccf51fe5955625346c12e00c0f2e539a

          SHA256

          b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

          SHA512

          9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
          Filesize

          534KB

          MD5

          62d380039dbd4583cb503e5e42c28ecb

          SHA1

          87e60217dfe6496083ba458fa4292d2a65c0a0c1

          SHA256

          1f18a6384b6992bd479de73434103c79d1f115e2e9444de6b9a927892f938cb3

          SHA512

          42f5eccf470325044e6501e84e185b85614496fd2638dd63d7cc16c85620a9d5b21c47a5c7283734675fb36c2ae691ff5a6f6a680c62a392b76d55d260c12516

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
          Filesize

          4.5MB

          MD5

          ef50ef3042c0dc0bd690169425e4fc48

          SHA1

          594e4b5f9c0b89ce83ff02923bf4df74c51df79e

          SHA256

          799b8493ba4a618094833d5a0d9af0d16d66b2666073bf7a08d82315ecb04205

          SHA512

          f6f7ae5ebc825aaabe2192e11338fae1fa2bcba552cd0de253ef45db17f862f7d821df29a246df262c2557d4944c7457634a79da58e9772cfe803b557c2f7987

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SharpSvn Project\Advanced SharpSvn\sharpsvn.exe
          Filesize

          4.2MB

          MD5

          f62104ffbaf3d93046a0321700305c57

          SHA1

          557623e42015fab8e7ed5ecbae748e8abce075ff

          SHA256

          2094fff49ee013aa1c30102faaa41a4a7d2418fe6b7ca482fe395b0da05e4cc5

          SHA512

          d5702e4d010158010151d0f47a551b1922fd64470f2bf3ef98d63445929c76db9bf1bedfbefe2c46e0f2481521e69648df4ae4e0e7422f26b6ccdcaeb460a1fa

          Download Submit

        • C:\Users\Admin\Desktop\LockBit_Ransomware.hta
          Filesize

          46KB

          MD5

          c15c6adc8c923ad87981f289025c37b2

          SHA1

          bfe6533f4afe3255046f7178f289a4c75ad89e76

          SHA256

          90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1

          SHA512

          31dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83

          Download Submit

        • memory/4324-326-0x0000000000400000-0x0000000000A55000-memory.dmp

          Filesize

          6.3MB

          Download

        • memory/4324-7391-0x0000000000400000-0x0000000000A55000-memory.dmp

          Filesize

          6.3MB

          Download

        • memory/4492-324-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download