Overview

overview

10

Static

static

10

exe/start.bat

windows7-x64

10

exe/start.bat

windows10-2004-x64

10

exe/unimed1.exe

windows7-x64

10

exe/unimed1.exe

windows10-2004-x64

10

exe/unimed2.exe

windows7-x64

10

exe/unimed2.exe

windows10-2004-x64

10

exe/unimed3.exe

windows7-x64

10

exe/unimed3.exe

windows10-2004-x64

10

exe/unimed4.exe

windows7-x64

10

exe/unimed4.exe

windows10-2004-x64

10

exe/unimed5.exe

windows7-x64

10

exe/unimed5.exe

windows10-2004-x64

10

exe/unimed6.exe

windows7-x64

10

exe/unimed6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exe/unimed2.exe

  • Size

    156KB

  • MD5

    80e0e8949a1e52a3a8c7d106901e5f23

  • SHA1

    c061200402a5f591b6ae605ae445dac20adce9aa

  • SHA256

    4735f51c0292b17618a8c789b853025c225b73dfde6bfd78cf1b61447286a144

  • SHA512

    cb918517ba065a2190724639785be0b56afda344d96291dd50880efb3184e12179b3d1bbe6954750c28e1939c9fce66e159c44f4d0cb847e869db8114ea75734

  • SSDEEP

    3072:ODDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368z9Nl02mGoFAXMA5kFW:Y5d/zugZqll3tNlk3I55k

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\8iysYFBai.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: CBCA8AEF72D1436958361F0D9D8F7D63 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (157) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\exe\unimed2.exe
    "C:\Users\Admin\AppData\Local\Temp\exe\unimed2.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\ProgramData\8F01.tmp
      "C:\ProgramData\8F01.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:3192
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4092317236-2027488869-1227795436-1000\FFFFFFFFFFF
    Filesize

    129B

    MD5

    a57b3c564c093730e05b235300bb20bb

    SHA1

    c44ed2262857c1032af918af85297dcec3d597cc

    SHA256

    17b7dc1be3adf4a2f5863e12eb8868232a7966414a2cb4ab53f26a019b7894bc

    SHA512

    17642f92756dea4e8d08749a5b5dfa75c955aa017df3381420a7f246ada1541aa49230d1edf50a30e1bfe3f0550d6f91a39158ada3ff692223a3c1f5f807e81f

    Download Submit
  • C:\ProgramData\8F01.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit
  • C:\Users\8iysYFBai.README.txt
    Filesize

    3KB

    MD5

    0fa4bdab66c7509e0839c3bcc5ba4b3a

    SHA1

    ffd098f36333679e3da1a8e234428ceaa3ed011e

    SHA256

    a20a54b174acc22bc5c67ad24d1c5f989a3cfe1da5f358ee735bd27e10930879

    SHA512

    8c7967b7b9f20c88742ae0319cda2ed4b3dd6e8505323f54b6b0e76c753d1202984ad8a2e3cb8f5c84aa891d6a171443c91ff700b41ed416a085fe7c970c9394

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\exe\DDDDDDDDDDD
    Filesize

    156KB

    MD5

    c5069ee55e30e7fcfba0cdd882f226c7

    SHA1

    6451000e57ad11f8e776fe71ad7f9830b9727c0e

    SHA256

    6824bd894a1ed310200944004be66938690414d9c71664b70552e8e200e4b34b

    SHA512

    947403c955a12a4bd6a33835e7eb7d6561c7af2b565e264dd60f4aa0f1b4442180155c7e89dc829c8cb019b6a4dbb805e3a8b317d55f3b51c52f71e83339708f

    Download Submit
  • F:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    72b49360e76291d55da81c358bd9968d

    SHA1

    96fdb12ca3c533ff9dde65e772456ec9987e1e94

    SHA256

    38e593bcb1c7509376b864f89cef0a07cfb9018230097b74a0be32488b670ff8

    SHA512

    31290f698d0a8d631ced4941c0221e4da95b3ac9b80f211507f8e8804e8b38397533a38553ce842ca3dd6a86a8ddbe18063b5e5325a0b6545f02ac5c68353873

    Download Submit
  • memory/2156-2-0x0000000003220000-0x0000000003230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2156-1-0x0000000003220000-0x0000000003230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2156-0-0x0000000003220000-0x0000000003230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3192-312-0x00000000028C0000-0x00000000028D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3192-313-0x00000000028C0000-0x00000000028D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3192-314-0x000000007FE20000-0x000000007FE21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3192-315-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3192-311-0x000000007FE40000-0x000000007FE41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3192-344-0x00000000028C0000-0x00000000028D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3192-345-0x00000000028C0000-0x00000000028D0000-memory.dmp
    Filesize

    64KB

    Download