General

  • Target

    0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9

  • Size

    150KB

  • Sample

    240314-ensq1acc76

  • MD5

    ebe673b2ee28dd65565f2f389279ac47

  • SHA1

    bcebe09c61d3e6c47aefcb6bca0882752e0053a9

  • SHA256

    0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9

  • SHA512

    c100672fd9055e0d07996347dcc59b5f689dfb607222d4213d4aea741e85d8db8837a9c46f3343fba82095d0734a21315df1c55f404294da13074a5567e5ad56

  • SSDEEP

    3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/R:pq/1VP1OyysNmJyXsqqD/ls/R

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\fr-FR\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10A4CB5FAE6D05AF80 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10A4CB5FAE6D05AF80

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10C389C299F16606FB This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10C389C299F16606FB

Targets

    • Target

      0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9

    • Size

      150KB

    • MD5

      ebe673b2ee28dd65565f2f389279ac47

    • SHA1

      bcebe09c61d3e6c47aefcb6bca0882752e0053a9

    • SHA256

      0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9

    • SHA512

      c100672fd9055e0d07996347dcc59b5f689dfb607222d4213d4aea741e85d8db8837a9c46f3343fba82095d0734a21315df1c55f404294da13074a5567e5ad56

    • SSDEEP

      3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/R:pq/1VP1OyysNmJyXsqqD/ls/R

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (8676) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks