Resubmissions
14-03-2024 19:55
240314-ynfwzsfg23 10Analysis
-
max time kernel
12s -
max time network
50s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
14-03-2024 19:55
General
-
Target
lockbit_unpacked.exe
-
Size
162KB
-
MD5
a2bc2785420b0c6f685d8692d813fbbc
-
SHA1
b118551289c9398a339cd1161b2c101571d4b5fd
-
SHA256
1f9944ccc4cb956c4eb81e76d51b3cb048b838f2f746e2017d4492abd5e9ed79
-
SHA512
32deb1d43a25b1b184f5ac212099d3004277d609d2784297c96632abe181e8c95f62185ea23ecefe640153c454bbcb33ef879d6c2d543f186160c9765e8bf0f8
-
SSDEEP
3072:W5uyulsHwDV1gFnTwn7zwJGJ+at5kCI5Gzei3N2VzRmK:W5uZ1DPgFnk7EJwJI5gDN2VVm
Malware Config
Extracted
C:\Users\Admin\HLJkNskOq.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Signatures
-
BlackMatter API Hashing IAT pattern was detected 2 IoCs
This rule detects samples from the BlackMatter family unpacked in memory, identifying code reuse of key functions.
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit3.0 API Hashing IAT pattern was detected 2 IoCs
This rule detects samples from the Lockbit3.0 family unpacked in memory, identifying code reuse of key functions.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lockbit_unpacked.exe"C:\Users\Admin\AppData\Local\Temp\lockbit_unpacked.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\ProgramData\5C84.tmp"C:\ProgramData\5C84.tmp"2⤵
-
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A04EFD1B-0809-4758-AE05-4229959B992B}.xps" 1335491977692400002⤵
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5499c0dfe06b0ce8af9869c7e7ec38e28
SHA129944e46435426296630ed85a5fe673359586564
SHA256803f2932b8a1f6c3cf409ab181daa2c3469a3a549c62fd1dc8881f71d97690b1
SHA5123a60af65b8ad7385f25e7d9936664f229580aa368c7f2a774d558c72c91cd7fccd280a499c5d1c2f1d9e82f7b2ea1e0d69369f97d7047a3d910a38dc7de76efa
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
162KB
MD5aaf693f2fb9ad730a1af55513e70b2c8
SHA11da33aecfaab51017b94f9f5c48d141efaca60ba
SHA256b9b0da382c5b3e5ef5ecbcfef2fd6886375e6ff33b0ad8fb18d9a298809e17ff
SHA512699013a5c2da0b234f0604126f047ac91ece00e54b7ea002c2581bf171d2965bce8876952fcd21b4f0e2b3f67d050832e42de49e40c5e89ade6caacd22c4f95f
-
Filesize
10KB
MD553455bf49309bfc6d57de4355d34052c
SHA122acda7fc5a63cc0ed484dfc76330046d8dc506a
SHA256aca09998f35e74710f729c8bb0075720ad2d34e6952e0d89a12cf07eec8df8e1
SHA512db6fb753d8233e8e9a8bf8bd4efc7ffd55ed9be420d61322dda0cb4abefe8e163db46a0f5479d5955b3272c3d04308149aa5e2ebed0ca6f9ce6b7af2e343954a
-
Filesize
129B
MD556aa402db007618d522db93410adb66f
SHA120e6ea46bad224335d47f108f9207fd8f9794185
SHA256e5cf012e40bd9346b97d32b739e0579d9934f87098aa1f8860ac0186eb701854
SHA5120750e417eb0738b7bf7c9c2ce3531aa051aa795b7d66a3a67c940e53697f62d3c7cc6bf289adc7f3d647be3ea9c930c3356755fc25e4be05cc8d4f76c19c4215
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
64KB
-
Filesize
176KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB