General

  • Target

    2024-03-11_52d4594deedeb91119fe521913a00d63_darkside

  • Size

    148KB

  • Sample

    240311-y8sraadd8z

  • MD5

    52d4594deedeb91119fe521913a00d63

  • SHA1

    6fe557247936badebc8676248275cd2f00106655

  • SHA256

    74090a22f4713933e21739eb08a99705407554ff204201829894ab38405644f6

  • SHA512

    39c3e13a6982e3368fe4045b836b79398c3a0e9ce1239370e9d084ef9aed0041d9794c2bf2c511343f98fe041139f052a52f5b52437c3259267baf59d8837f69

  • SSDEEP

    3072:7qJogYkcSNm9V7D105NoSUhIhI8YoXXjT:7q2kc4m9tD1Sy1oH

Malware Config

Extracted

Path

C:\QO5k5RIUs.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> How to pay to get the decryptor? You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 8B87E170009F892031583A62EB771EA7 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: 200.00$ Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information? Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Extracted

Path

C:\QO5k5RIUs.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> How to pay to get the decryptor? You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 8B87E170009F89205E2BC9479BA0BAB4 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: 200.00$ Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information? Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Targets

    • Target

      2024-03-11_52d4594deedeb91119fe521913a00d63_darkside

    • Size

      148KB

    • MD5

      52d4594deedeb91119fe521913a00d63

    • SHA1

      6fe557247936badebc8676248275cd2f00106655

    • SHA256

      74090a22f4713933e21739eb08a99705407554ff204201829894ab38405644f6

    • SHA512

      39c3e13a6982e3368fe4045b836b79398c3a0e9ce1239370e9d084ef9aed0041d9794c2bf2c511343f98fe041139f052a52f5b52437c3259267baf59d8837f69

    • SSDEEP

      3072:7qJogYkcSNm9V7D105NoSUhIhI8YoXXjT:7q2kc4m9tD1Sy1oH

    • Renames multiple (309) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks