Overview

overview

10

Static

static

10

9feed0c7fa...af.exe

windows7-x64

10

9feed0c7fa...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 04:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af.exe

  • Size

    959KB

  • MD5

    63dcf75ad743b292e4a6cd067ffc2c18

  • SHA1

    0d68ea228f49fdd8d044a2fb0dae9174eba73d7a

  • SHA256

    9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af

  • SHA512

    c982f183caf5859c3d8d8b2c7831e3e6a9d074b651f27ed89fdf486db577d1d4a3af901a8b17ad667ef85a4c900c99766388ff99c564a7443479b8831eb5f43e

  • SSDEEP

    24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdPF:Ujrc2So1Ff+B3k7965

Score
10/10
lockbitevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 2ED873D43FE5DD3840D04BF3232D32CA
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af.exe
    "C:\Users\Admin\AppData\Local\Temp\9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:568
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1644
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • Runs ping.exe
        PID:2252
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af.exe"
        3⤵
          PID:1388
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2300

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
            Filesize

            512B

            MD5

            82364c9281103e2842f0b5105a5fc658

            SHA1

            e1873969f8151209837d6f73a7a05e2a6e291f1c

            SHA256

            e97b649a4cfd005371bd043d03f46a8335473e044c8ab9732c0c5110789ad684

            SHA512

            9f2556e2734f5f0c1e844aa482b44e4bfd02612b271ae50becc2f15530e22deb212e62f4fd743bde1c04867bf465575c9553faacf4c4cfadcc4606952776d09c

            Download Submit