Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    16210001048.zip

  • Size

    76KB

  • Sample

    240326-nxfmgahd28

  • MD5

    e45b4d1475b1d5049c7b871a510b7b79

  • SHA1

    69674835b87b3337095d2c1e544ddbd6661c8c8e

  • SHA256

    bf717eadc0e13a52f9f23e680ec4bdfc96c85411155162d138625b310323972a

  • SHA512

    652e6dfbcc83a3d2e69c2b1f3c7d9c95df5034b137ff02064d146a0e46e61c8dda75a814c951a52ef34b24c89f392ca898da01cd520e135e48264622de2dc697

  • SSDEEP

    1536:AGKyxT7UI2PRSeEjF+fC5NOSPKFrGxd8AEQrrbu:AGKkMI2P8PFsgTK0xNZi

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670ADB51210091D94032 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ADB51210091D94032 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?BD61F8CA9173670ADB51210091D94032

http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ADB51210091D94032

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670ACAD600354B179BB5 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ACAD600354B179BB5 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?BD61F8CA9173670ACAD600354B179BB5

http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ACAD600354B179BB5

Targets

    • Target

      19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708

    • Size

      148KB

    • MD5

      64fc181e2dead2367f1c04ab9261e84d

    • SHA1

      acea0a849bb13ea7254639612dc73271f90caddb

    • SHA256

      19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708

    • SHA512

      d43feb42582460e4fd9af0231e746ea2d05d579d2b2669550240b740e57b05f3fb3f3c751f940c0483d09c8960dd3c087ac075b5ab75b109c7e674ac0f44db8d

    • SSDEEP

      3072:ym0ROZIL87L1yoklfzGp3XjRaDRMqqD/A6lHlC:ypMCL8rpHjRaOqqD/RjC

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (9357) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks