Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 04:14

General

  • Target

    74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe

  • Size

    959KB

  • MD5

    e9cd8c321b68118611a0863b0b91b8f5

  • SHA1

    dde3509b41639f4ae7383bcd7b1c17db88b667cf

  • SHA256

    74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78

  • SHA512

    35fd50ec73ac69aab6c98a1f107c418acaffd9c4c933133064776962520a94d54f796b59558d72ede581e78e405b55c22f7a40d0788244f6d274fe399facacf3

  • SSDEEP

    24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Ujrc2So1Ff+B3k796W

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FB5EDCE4A6E878753E2C61430F983599
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe
    "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2480
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2740
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • Runs ping.exe
        PID:1856
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"
        3⤵
          PID:2584
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

      Filesize

      512B

      MD5

      35e4e948e3d561ef22e375b7a93a751c

      SHA1

      172f06ea0822279e7c172c71dbe7d8283023a301

      SHA256

      6f58bc544d6eff7cf0e621494d4f79e789f035a99fdb0958078c6aee27d6de12

      SHA512

      4a5cdaa190855311f32b379f2fdf7b3adc8ebf4fc3982ed935aaadd84a833de693ee633379af2aa4247946889582ae3f8c4c508df75bb6e06c07c7838312fc82