Overview

overview

10

Static

static

10

00260c390f...f8.exe

windows7-x64

10

00260c390f...f8.exe

windows10-2004-x64

10

01bf78841b...16.exe

windows7-x64

9

01bf78841b...16.exe

windows10-2004-x64

9

0545f842ca...49.exe

windows7-x64

10

0545f842ca...49.exe

windows10-2004-x64

10

068ca3e92c...fd.exe

windows7-x64

10

068ca3e92c...fd.exe

windows10-2004-x64

10

0b856337d9...c9.exe

windows7-x64

10

0b856337d9...c9.exe

windows10-2004-x64

10

0d38f8bf83...09.exe

windows7-x64

10

0d38f8bf83...09.exe

windows10-2004-x64

10

0e35a681fc...5e.exe

windows7-x64

10

0e35a681fc...5e.exe

windows10-2004-x64

10

0f178bc093...35.exe

windows7-x64

10

0f178bc093...35.exe

windows10-2004-x64

10

10306702a1...dd.dll

windows7-x64

10

10306702a1...dd.dll

windows10-2004-x64

10

160c972897...21.exe

windows7-x64

10

160c972897...21.exe

windows10-2004-x64

10

19f7d53c4a...a0.exe

windows7-x64

10

19f7d53c4a...a0.exe

windows10-2004-x64

10

1b109db549...18.exe

windows7-x64

10

1b109db549...18.exe

windows10-2004-x64

10

1e10e08cda...18.dll

windows7-x64

10

1e10e08cda...18.dll

windows10-2004-x64

10

1eb0b48ca7...1d.dll

windows7-x64

1

1eb0b48ca7...1d.dll

windows10-2004-x64

1

1f0e4cbc1a...7d.exe

windows7-x64

10

1f0e4cbc1a...7d.exe

windows10-2004-x64

10

239c9969fd...90.exe

windows7-x64

10

239c9969fd...90.exe

windows10-2004-x64

10

Resubmissions

20-03-2024 09:55

240320-lxzn8sdh94 10

20-03-2024 09:53

240320-lwzb3sef3x 10

18-03-2024 09:01

240318-ky38dadf6s 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

  • Size

    35.6MB

  • Sample

    240318-ky38dadf6s

  • MD5

    78dfa08cce661350941f9cbaa04321c3

  • SHA1

    6f5e0fac7d3506e8e88750d903624dd2c64f7d01

  • SHA256

    b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

  • SHA512

    4de7f03542fc6536232515b1dcbf27bfa2754128dfd6ec816bb6892053e08db92dbaaa66e56325719df5d27fafd0df7f0b533a6df9bc307e8d07826ae9512ea6

  • SSDEEP

    786432:o+qNWPQWNdMvh2f0tAcGRTh3YeI0+r3zZO4s:o+qNWPZKvh40tAcGRTh380+r3zk4s

Score
10/10
blackmatterchaoslockbitneshtadiscoveryevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Family

blackmatter

Version

65.239

Extracted

Path

C:\Program Files\DVD Maker\en-US\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 172375D30BE340B4C3C7585BF6ABFBF3
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD1095AC67EBB9235858 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD1095AC67EBB9235858

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 86FE23AC7A3C78CF6B86FC97F41E99F3
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 86FE23AC7A3C78CF7E2E59A64A28C59E
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Users\Admin\Desktop\LockBit_Ransomware.hta

Ransom Note
Any attempts to restore your files with the thrid-party software will be fatal for your files! To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us There is only one way to get your files back: Through a standard browser Brave (supports Tor links) FireFox Chrome Edge Opera Open link - https://decoding.at/ Through a Tor Browser - recommended Download Tor Browser - https://www.torproject.org/ and install it. Open one of links in Tor browser and follow instructions on these pages: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or mirrorhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion/These links work only in the Tor browser! Follow the instructions on this page https://decoding.at may be blocked. We recommend using a Tor browser (or Brave) to access the TOR site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about All your stolen important data will be loaded into our blog if you do not pay ransom. Our blog http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion or https://bigblog.at where you can see data of the companies which refused to pay ransom.
URLs

https://decoding.at/

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or

https://decoding.at

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86E297E5433B05338F This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86E297E5433B05338F

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA1BBB9133899A5C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA1BBB9133899A5C

Extracted

Path

C:\Users\wkyNXZoXP.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion Links for the normal browser http://lockbitapt.uz >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 25516ED9EB2BDF2DFC8594424636D747 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt.uz

https://twitter.com/hashtag/lockbit?f=live

http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion

http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion

http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion

http://lockbitsupp.uz

https://tox.chat/download.html

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

Targets

    • Target

      00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8

    • Size

      862KB

    • MD5

      96de05212b30ec85d4cf03386c1b84af

    • SHA1

      dbe5243c6ea5cc4cfb3edf042bd94a59cf9a0e64

    • SHA256

      00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8

    • SHA512

      3a77e9dad5348a612ee83284ed7e098cc19375a92910756bc4d9274f484a68b0a73ce39fef53a1d12fecccc1daf5d48a1d264c18b1fe8ed4741e1a95cbcbdf47

    • SSDEEP

      24576:DxAf2NuubB6RWspgjuwu7pl4Ha+UmxJH+Q9F:dAfSrWW4g+7Ht+UmxJe6

    Score
    10/10
    lockbitdiscoveryevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      01bf78841b63bcdd8280157c486b45ad74811c0251140a054de81a925ce7f716

    • Size

      145KB

    • MD5

      7966a61801e560b0031ba0e7d5864456

    • SHA1

      bb737041b092879f10e400a599e5301d186bb6d9

    • SHA256

      01bf78841b63bcdd8280157c486b45ad74811c0251140a054de81a925ce7f716

    • SHA512

      475f41efdafcb2a19e3d0c47b824f13f7ad609412d5d99bd08346795e3f98a14c96ab62f1ff0305a9fffc8d6c025f7c4c2e8a1502bfdb17484add606539f94d6

    • SSDEEP

      3072:pqJogYkcSNm9V7DF78cwcmphqvbAw/rKfGT:pq2kc4m9tDp7wxhqnm

    Score
    9/10
    ransomwarespywarestealer

    • Renames multiple (455) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049

    • Size

      959KB

    • MD5

      6fc418ce9b5306b4fd97f815cc9830e5

    • SHA1

      95838a8beb04cfe6f1ded5ecbd00bf6cf97cd564

    • SHA256

      0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049

    • SHA512

      7b9e17dc75d83f6b6ac458f29e07faf30e50d88d283cb50fd64b44730622da48702059e416649455c082ff28328fd70e3acea61527e86a7972978219a7bfcc06

    • SSDEEP

      24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdLF:Ujrc2So1Ff+B3k796l

    Score
    10/10
    lockbitdiscoveryevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

    • Size

      147KB

    • MD5

      75256873a03f4a4bc073185f48c1097c

    • SHA1

      e9023061def67ba21c09826fadc1607fd7f71d88

    • SHA256

      068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

    • SHA512

      4b718093ad42d7b7b72498dfcbcfd1b39c980ef44e999b7035e6bfe6b782aad6b7553832f1efee45003d9b0c56bf2e408ca55082c550ac4faa19f199f366dede

    • SSDEEP

      3072:s6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0dj:s6gDBGpvEByocWetdHZ/fgKF0

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (9399) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9

    • Size

      150KB

    • MD5

      ebe673b2ee28dd65565f2f389279ac47

    • SHA1

      bcebe09c61d3e6c47aefcb6bca0882752e0053a9

    • SHA256

      0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9

    • SHA512

      c100672fd9055e0d07996347dcc59b5f689dfb607222d4213d4aea741e85d8db8837a9c46f3343fba82095d0734a21315df1c55f404294da13074a5567e5ad56

    • SSDEEP

      3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/R:pq/1VP1OyysNmJyXsqqD/ls/R

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (6448) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509

    • Size

      162KB

    • MD5

      44e8c23bfb649ecf4cb753ec332899dd

    • SHA1

      465f5b6de78ee184f1ee3400e4edaa0e85558d9e

    • SHA256

      0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509

    • SHA512

      81f369f044e3b403aae8789c741cbf16e167a38386ef38c49d57a3c8e568b5b75d881f92881aeb10a918ed449ab89b27d70c2809cd956883660ed0202c0caf51

    • SSDEEP

      3072:NEWBPJgr1sgLFXdJ6Xx7OchgXC6TESq072WHI4nL2knI+eT:N71J4sgLBd0Ocz6TEBmHFnLm+eT

    Score
    10/10
    lockbitransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    behavioral11behavioral12

    • Target

      0e35a681fc6574663201af8af49d621097ed4c3fba8cd058a82b22dea8bccc5e

    • Size

      959KB

    • MD5

      22e93a1af0bef6fb78f6054b93726f54

    • SHA1

      6dbea516bd91fbde13203795f2128af13f158009

    • SHA256

      0e35a681fc6574663201af8af49d621097ed4c3fba8cd058a82b22dea8bccc5e

    • SHA512

      164b2eefea73fedcf9f0dbc77a068bb6ea9a3c0046ba46f951307f4849b6d67b2e0c045982de235e46cce6b1090caf55ea28563476730265c6af29ac87cb3c3c

    • SSDEEP

      24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdCF:Ujrc2So1Ff+B3k796U

    Score
    10/10
    lockbitdiscoveryevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • Size

      151KB

    • MD5

      1fbef2a9007eb0e32fb586e0fca3f0e7

    • SHA1

      3e86304198d1185a36834e59147fc767315d8678

    • SHA256

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • SHA512

      94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

    • SSDEEP

      3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (8716) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15behavioral16

    • Target

      10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd

    • Size

      103KB

    • MD5

      e9f6513c37debcce50e9633aefa757c0

    • SHA1

      e7623d6cb0cf234b9f3e3f8b14f63e2077441a0f

    • SHA256

      10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd

    • SHA512

      de6d502b6bb6d6b46d5b0170db2e3f22f376f5370b6fe6793efbe3ea2207e65033d0b3e0b195b90833ec305bd0decffb6264f2dc973160dbdc330646af242d74

    • SSDEEP

      1536:QzICS4A30TY1kUS/U2ztdS1I6DdL9Ta1lx1411ey2NzPBmdy6h+/:vJ0TYyUS/U2RgGWL9+zx1c1eXNNmdA/

    Score
    10/10
    lockbitransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Renames multiple (424) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      160c97289764c37afe1a11f72537e95843a9c37a9c5fa02e1046f6b002315021

    • Size

      153KB

    • MD5

      213838221c47c1d5fd11f7eaaf65865c

    • SHA1

      e0444a48c57f1b4a4a46e363bbd421c50f3deca7

    • SHA256

      160c97289764c37afe1a11f72537e95843a9c37a9c5fa02e1046f6b002315021

    • SHA512

      4b17e26f911a1d7fe853ec163d571d86d55944e484fbe4f66718dd3dd2060e8b8502e4df6cbf13b21ad8645eac860ec91266a93aa176d4891b7ef43a40b5e220

    • SSDEEP

      3072:M6glyuxE4GsUPnliByocWep+EE2GLTlsuGb:M6gDBGpvEByocWeBGLTlWb

    Score
    10/10
    lockbitransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Renames multiple (459) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0

    • Size

      959KB

    • MD5

      fec0ba68b3118f490dbee9dc5cc382d4

    • SHA1

      c5a76c237314d970fb5acfc118c1f1109d012704

    • SHA256

      19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0

    • SHA512

      4c202c11503607baa0fccc23223933eaf1ffe052607f46f3d596520ced90359d1bcf1369ce335d4b63de9c221cf137d6354ce88fead6e3164c54903c8e20f81c

    • SSDEEP

      24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796W

    Score
    10/10
    lockbitdiscoveryevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

    • Size

      150KB

    • MD5

      1f4f6abfced4c347ba951a04c8d86982

    • SHA1

      a4c486b0926f55e99d12f749135612602cc4bf64

    • SHA256

      1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

    • SHA512

      ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3

    • SSDEEP

      3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9311) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518

    • Size

      113KB

    • MD5

      44a19bd034e150b21084da75ad65ef0c

    • SHA1

      72666d6482fded7e524591a2bd61bb14494560a2

    • SHA256

      1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518

    • SHA512

      e9801d9386ec3cc0a8086a790e8586847f180c1562d1ddcee06307edd44e2267a98018f2b51add2c9136af949da59aa9def76b49b66e6e4235d69d1b9246b99c

    • SSDEEP

      1536:+zICS4Az7zr5gUke9jyAa1d0obdsx1R4hRltKHvkT9SDFSDevAwxOOr:l1735ZzNwX0obdi3gJKvkBShSDaAHO

    Score
    10/10
    lockbitransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      1eb0b48ca74c119b53d372de7d639f0bcb1337fb526347fb3b22f62214280e1d

    • Size

      158KB

    • MD5

      fd618940c30715bc3a539f9c9592baf9

    • SHA1

      8ff1b7306d00e6d04bcbff68c57acf4895d0518b

    • SHA256

      1eb0b48ca74c119b53d372de7d639f0bcb1337fb526347fb3b22f62214280e1d

    • SHA512

      caa6505e9bb5ae38589d2f2ad2ae8f2cc5e9381d883c5a16663f2bcfbf54826d682f6c12f6c89100d2f8059965b3f90dc9d4cc2d2f41fceed64b46127cf59f29

    • SSDEEP

      3072:W/LecLDzqMDMXSBTWD85cb0E/fsO+L0ukZsqSkq2jSU:W/pDzqMGSBTWD85cb0AHya4kq2O

    Score
    1/10
    behavioral27behavioral28

    • Target

      1f0e4cbc1a4b52b6d7e4188e4a835a904cf783c75db9a066df4201452bd9647d

    • Size

      153KB

    • MD5

      9876648d8e8d857bd698c39cfa0ca3a3

    • SHA1

      bb3ef4fa029b5e7ddb4666b68406d570764c908e

    • SHA256

      1f0e4cbc1a4b52b6d7e4188e4a835a904cf783c75db9a066df4201452bd9647d

    • SHA512

      63a94dfa67f9cbedde1c3af4d1c9178eb0f84049c86dbdbaefde11b50ada2de846d72a7bb1848d72677844f810e8b2812815caee774f568a899171b95b8cbdce

    • SSDEEP

      3072:uqJogYkcSNm9V7DZqX7A+Rf5KZXxpU756T:uq2kc4m9tDgZf5KZX325

    Score
    10/10
    lockbitransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Renames multiple (446) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral29behavioral30

    • Target

      239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390

    • Size

      153KB

    • MD5

      bb78df384ff1d296d1f0b59803df89b3

    • SHA1

      39c9235f96cf39a24c9907ac9ff5ab58de837bac

    • SHA256

      239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390

    • SHA512

      b682f26d3baf33ab2f11036f1c0461c1c022d8073989db5f6cfaaa84655bc46d8fa0dac7b1842c74c69d7ad640c9d390dec946cfa8dd08efd240886e816a3288

    • SSDEEP

      3072:5qJogYkcSNm9V7DvjFHHjHLuHk7XHURLPGwAcT:5q2kc4m9tDFfXkuwA

    Score
    10/10
    lockbitransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Renames multiple (436) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

chaoslockbitneshtablackmatter
Score
10/10

behavioral1

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral2

lockbitdiscoverypersistenceransomware
Score
10/10

behavioral3

ransomwarespywarestealer
Score
9/10

behavioral4

ransomwarespywarestealer
Score
9/10

behavioral5

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral6

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral7

ransomwarespywarestealer
Score
10/10

behavioral8

ransomwarespywarestealer
Score
10/10

behavioral9

lockbitevasionpersistenceransomware
Score
10/10

behavioral10

lockbitevasionpersistenceransomware
Score
10/10

behavioral11

lockbitransomware
Score
10/10

behavioral12

lockbitransomware
Score
10/10

behavioral13

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral14

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral15

lockbitevasionpersistenceransomware
Score
10/10

behavioral16

lockbitevasionpersistenceransomware
Score
10/10

behavioral17

lockbitransomwarespywarestealer
Score
10/10

behavioral18

lockbitransomware
Score
10/10

behavioral19

lockbitransomwarespywarestealer
Score
10/10

behavioral20

lockbitransomwarespywarestealer
Score
10/10

behavioral21

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral22

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral23

lockbitevasionpersistenceransomware
Score
10/10

behavioral24

lockbitevasionpersistenceransomware
Score
10/10

behavioral25

lockbitransomware
Score
10/10

behavioral26

lockbitransomware
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

lockbitransomwarespywarestealer
Score
10/10

behavioral30

lockbitransomwarespywarestealer
Score
10/10

behavioral31

lockbitransomwarespywarestealer
Score
10/10

behavioral32

lockbitransomwarespywarestealer
Score
10/10