General

  • Target

    fdrsetrgh.exe

  • Size

    1.5MB

  • Sample

    240310-vgmt6sgf42

  • MD5

    fe5101b50e92a923d74cc6f0f4225539

  • SHA1

    f7a2fc4e471a203c8a5683c02ada2c3931c8f0ec

  • SHA256

    411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10

  • SHA512

    bd1fa89a7a1f7b9f1bcb6ac574b9ad09d8cd053723b24f8d5fbe4a5946e6fce4325040364d1e9e79f98421bc8c656e4601ba4c96ff63b1472bbb01b59e0414ee

  • SSDEEP

    24576:EbRKGN66DdkfD2mtArFoZpAQbuSy6Pj44aOLu5S3+RIYMpS:+RK4ZWDVt4G2r67458tYMU

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 8DF287EDD983EB155C7D8D436CED3597
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 8DF287EDD983EB158DDFE7F1D607005D
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

    • Target

      fdrsetrgh.exe

    • Size

      1.5MB

    • MD5

      fe5101b50e92a923d74cc6f0f4225539

    • SHA1

      f7a2fc4e471a203c8a5683c02ada2c3931c8f0ec

    • SHA256

      411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10

    • SHA512

      bd1fa89a7a1f7b9f1bcb6ac574b9ad09d8cd053723b24f8d5fbe4a5946e6fce4325040364d1e9e79f98421bc8c656e4601ba4c96ff63b1472bbb01b59e0414ee

    • SSDEEP

      24576:EbRKGN66DdkfD2mtArFoZpAQbuSy6Pj44aOLu5S3+RIYMpS:+RK4ZWDVt4G2r67458tYMU

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks