General

  • Target

    54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f

  • Size

    959KB

  • Sample

    240314-esed6scd73

  • MD5

    0ee7386109b1f3596ae62735cf53f6b3

  • SHA1

    0a67f0154a003fd06597a28dd2fd3e2f63b333b7

  • SHA256

    54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f

  • SHA512

    dbc5f19de20129121c3c8ba6d3230198272a150023a7ec896bec14c2d33c6ed49cb6fc5dbb19250674e763a9e3f2f9dad4badffd9fe712a97b1c36c0d1291a73

  • SSDEEP

    24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdtF:Ujrc2So1Ff+B3k796L

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: BCC23CDC3178BD7F0935AC2D8850B417
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: BCC23CDC3178BD7F974ED410867F92E8
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

    • Target

      54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f

    • Size

      959KB

    • MD5

      0ee7386109b1f3596ae62735cf53f6b3

    • SHA1

      0a67f0154a003fd06597a28dd2fd3e2f63b333b7

    • SHA256

      54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f

    • SHA512

      dbc5f19de20129121c3c8ba6d3230198272a150023a7ec896bec14c2d33c6ed49cb6fc5dbb19250674e763a9e3f2f9dad4badffd9fe712a97b1c36c0d1291a73

    • SSDEEP

      24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdtF:Ujrc2So1Ff+B3k796L

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks