General

  • Target

    2ecf1fe02d8fb099b68e4d9bceeeadbe5fc8347f5a76d52f35ed48b516963735

  • Size

    959KB

  • Sample

    240314-eqtfbacd38

  • MD5

    ebd239b8b8fe486b2a13a5896a96d044

  • SHA1

    60821226d8d934d488d4f8e8081c32c6a73f8929

  • SHA256

    2ecf1fe02d8fb099b68e4d9bceeeadbe5fc8347f5a76d52f35ed48b516963735

  • SHA512

    2bd55c0548c3bdccde061098ed314705c131e745c8a7503708f2e8a5c98beb94fb55c7f7a183945c199badcacae37d81e5edc9afd9c802b2778867928e7371f6

  • SSDEEP

    24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdHF:Ujrc2So1Ff+B3k7969

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\lib\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 9ED1D8ED9B71E453AA0AA56F1BB11ED2
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 9ED1D8ED9B71E453ABAA310EA52BA135
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

    • Target

      2ecf1fe02d8fb099b68e4d9bceeeadbe5fc8347f5a76d52f35ed48b516963735

    • Size

      959KB

    • MD5

      ebd239b8b8fe486b2a13a5896a96d044

    • SHA1

      60821226d8d934d488d4f8e8081c32c6a73f8929

    • SHA256

      2ecf1fe02d8fb099b68e4d9bceeeadbe5fc8347f5a76d52f35ed48b516963735

    • SHA512

      2bd55c0548c3bdccde061098ed314705c131e745c8a7503708f2e8a5c98beb94fb55c7f7a183945c199badcacae37d81e5edc9afd9c802b2778867928e7371f6

    • SSDEEP

      24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdHF:Ujrc2So1Ff+B3k7969

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks