Analysis

  • max time kernel
    147s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 02:40

General

  • Target

    75e3d908fdddee413481dba88258783b.exe

  • Size

    156KB

  • MD5

    75e3d908fdddee413481dba88258783b

  • SHA1

    4cd6c1a88f3575d298aa168356651d5237bb72ab

  • SHA256

    36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4

  • SHA512

    d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256

  • SSDEEP

    3072:ZfDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33686plZG1kqxSb6W:ZB5d/zugZqll32rZ2txSb

Score
10/10

Malware Config

Extracted

Path

C:\Users\O957g99QW.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 27E1278B16C094FD4CE9B6AD680DEF03 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (169) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe
    "C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\ProgramData\CE09.tmp
      "C:\ProgramData\CE09.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:3484
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini

    Filesize

    129B

    MD5

    ba16ad22f42d1b281573a5812d57b053

    SHA1

    7f1595c013c38e666cf1931bdb8a8f3b1f715ed5

    SHA256

    a7b5d7537c864e55b9012b5b0c652b9bbfb66e045d3013eda1fd128d5e65081a

    SHA512

    c36ea7a8e8523cc6d80bbb2cbd431af9226a6b9f9ed015930874eb23806f63aa42bcbac8fc2eb125448e5ff6f37be831c181b9ff72b637f55e9a2e62690827fa

  • C:\ProgramData\CE09.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

    Filesize

    156KB

    MD5

    cb3ec9edce59a3638e5b255d6148839d

    SHA1

    3a06aed51576265d8178ae417eb4118ec87eb37f

    SHA256

    5c40d284689190e244886d6a81a928a098d9b9d6b8877e6e2e9081877ae8a7d1

    SHA512

    ba4802874879c361002f6ec462a4950e8c1e5feabc48a629d978e87671ce13fdeb0cb856ab66afc4d5def17308574c6bb23d70feab340ed0c3931787771c913c

  • C:\Users\O957g99QW.README.txt

    Filesize

    3KB

    MD5

    0000799ebb390273026f8c43f98cd650

    SHA1

    d619d43fbf045b5cecbc38c5f509918c09bcd744

    SHA256

    fec0c3f70fc4672c5ffae34695ae3aee68cce97d9b952012ef18597f5bd90c5d

    SHA512

    8a53b665e418fee4780a51f04c20e70470c455bf4fc7ef0b105fb93a248f6ebd6b1daf4236f46847d310c3317aef662749273727172d0146a64e31268d813ffe

  • F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\HHHHHHHHHHH

    Filesize

    129B

    MD5

    d0bb69d823b9440e3e4a00eff6fb1159

    SHA1

    19fe772b01b7a790e4275dd2369c1af90117197f

    SHA256

    d22c62e617c9ce7c061d724c868ef576f814f61332e67fae11034f86700a79c1

    SHA512

    6a8781fe492b40a7d9daf7d745379398c253a30fa28e20a2766cb8769e3f82c925bad61c42a8ea915524904455b57bb437d3b32d449253439c2a53deb0d3b3df

  • memory/3484-329-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/3484-328-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

  • memory/3484-330-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/3484-334-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

  • memory/3484-339-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

  • memory/3484-361-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/3484-362-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/4296-0-0x0000000002B20000-0x0000000002B30000-memory.dmp

    Filesize

    64KB

  • memory/4296-321-0x0000000002B20000-0x0000000002B30000-memory.dmp

    Filesize

    64KB

  • memory/4296-322-0x0000000002B20000-0x0000000002B30000-memory.dmp

    Filesize

    64KB

  • memory/4296-2-0x0000000002B20000-0x0000000002B30000-memory.dmp

    Filesize

    64KB

  • memory/4296-1-0x0000000002B20000-0x0000000002B30000-memory.dmp

    Filesize

    64KB