lockfile | e36819a304d8eb00a404b3ff1dce1f708de985ca87f56e8c571a4a14740ffd62 | Triage

Submit
Reports

Overview

overview

Static

static

2024-04-12...er.exe

windows7-x64

2024-04-12...er.exe

windows10-2004-x64

Sharing

General

Target

2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer
Size

71KB
Sample

240413-ac622abd8y
MD5

44fcd277d0a92c0b7eafd911ccc93864
SHA1

6beed4cec39a2f126738e9a8909cd84f4edb5736
SHA256

e36819a304d8eb00a404b3ff1dce1f708de985ca87f56e8c571a4a14740ffd62
SHA512

2b6085c757242f552b1db42e9353c41d9ff8c5f7b9cc69ee4441087862a16487ccc58690d08487fdb5fc9e8072b275bf74085ee901727fdd2eacdc4fa5eadf04
SSDEEP

1536:AXcbhZMBIWhuUsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2AH:lhZEVsrQLOJgY8Zp8LHD4XWaNH71dLdS

Score

10^/10

lockfile ransomware

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe

Resource

win7-20240221-en

lockfile ransomware

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe

Resource

win10v2004-20240412-en

lockfile ransomware

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer
- Size
  
  71KB
- MD5
  
  44fcd277d0a92c0b7eafd911ccc93864
- SHA1
  
  6beed4cec39a2f126738e9a8909cd84f4edb5736
- SHA256
  
  e36819a304d8eb00a404b3ff1dce1f708de985ca87f56e8c571a4a14740ffd62
- SHA512
  
  2b6085c757242f552b1db42e9353c41d9ff8c5f7b9cc69ee4441087862a16487ccc58690d08487fdb5fc9e8072b275bf74085ee901727fdd2eacdc4fa5eadf04
- SSDEEP
  
  1536:AXcbhZMBIWhuUsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2AH:lhZEVsrQLOJgY8Zp8LHD4XWaNH71dLdS
Score

10^/10

lockfile ransomware
- LockFile
  LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
  ransomware lockfile
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (190) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lockfileransomware

behavioral2

lockfileransomware

© 2018-2024

Terms | Privacy