Overview

overview

10

Static

static

10

b7147a76c6...24.zip

windows10-1703-x64

10

Resubmissions

20-03-2024 09:55

240320-lxzn8sdh94 10

20-03-2024 09:53

240320-lwzb3sef3x 10

18-03-2024 09:01

240318-ky38dadf6s 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

  • Size

    35.6MB

  • Sample

    240414-mwat6aga64

  • MD5

    78dfa08cce661350941f9cbaa04321c3

  • SHA1

    6f5e0fac7d3506e8e88750d903624dd2c64f7d01

  • SHA256

    b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

  • SHA512

    4de7f03542fc6536232515b1dcbf27bfa2754128dfd6ec816bb6892053e08db92dbaaa66e56325719df5d27fafd0df7f0b533a6df9bc307e8d07826ae9512ea6

  • SSDEEP

    786432:o+qNWPQWNdMvh2f0tAcGRTh3YeI0+r3zZO4s:o+qNWPZKvh40tAcGRTh380+r3zk4s

Score
10/10
blackmatterchaoslockbitneshtaevasionpersistenceransomware

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Family

blackmatter

Version

65.239

Extracted

Path

C:\Program Files\Java\jdk-1.8\include\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10A0FA64FBBC21460C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10A0FA64FBBC21460C

Targets

    • Target

      b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

    • Size

      35.6MB

    • MD5

      78dfa08cce661350941f9cbaa04321c3

    • SHA1

      6f5e0fac7d3506e8e88750d903624dd2c64f7d01

    • SHA256

      b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

    • SHA512

      4de7f03542fc6536232515b1dcbf27bfa2754128dfd6ec816bb6892053e08db92dbaaa66e56325719df5d27fafd0df7f0b533a6df9bc307e8d07826ae9512ea6

    • SSDEEP

      786432:o+qNWPQWNdMvh2f0tAcGRTh3YeI0+r3zZO4s:o+qNWPZKvh40tAcGRTh380+r3zk4s

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (6385) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks