Overview
overview
10Static
static
10exe/start.bat
windows7-x64
10exe/start.bat
windows10-2004-x64
10exe/unimed1.exe
windows7-x64
10exe/unimed1.exe
windows10-2004-x64
10exe/unimed2.exe
windows7-x64
10exe/unimed2.exe
windows10-2004-x64
10exe/unimed3.exe
windows7-x64
10exe/unimed3.exe
windows10-2004-x64
10exe/unimed4.exe
windows7-x64
10exe/unimed4.exe
windows10-2004-x64
10exe/unimed5.exe
windows7-x64
10exe/unimed5.exe
windows10-2004-x64
10exe/unimed6.exe
windows7-x64
10exe/unimed6.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 12:53
Behavioral task
behavioral1
Sample
exe/start.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
exe/start.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
exe/unimed1.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
exe/unimed1.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
exe/unimed2.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
exe/unimed2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
exe/unimed3.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
exe/unimed3.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
exe/unimed4.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
exe/unimed4.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
exe/unimed5.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
exe/unimed5.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
exe/unimed6.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
exe/unimed6.exe
Resource
win10v2004-20240412-en
General
-
Target
exe/unimed2.exe
-
Size
156KB
-
MD5
80e0e8949a1e52a3a8c7d106901e5f23
-
SHA1
c061200402a5f591b6ae605ae445dac20adce9aa
-
SHA256
4735f51c0292b17618a8c789b853025c225b73dfde6bfd78cf1b61447286a144
-
SHA512
cb918517ba065a2190724639785be0b56afda344d96291dd50880efb3184e12179b3d1bbe6954750c28e1939c9fce66e159c44f4d0cb847e869db8114ea75734
-
SSDEEP
3072:ODDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368z9Nl02mGoFAXMA5kFW:Y5d/zugZqll3tNlk3I55k
Malware Config
Extracted
C:\Users\8iysYFBai.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
8F01.tmppid process 3192 8F01.tmp -
Executes dropped EXE 1 IoCs
Processes:
8F01.tmppid process 3192 8F01.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
unimed2.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-4092317236-2027488869-1227795436-1000\desktop.ini unimed2.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\desktop.ini unimed2.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
unimed2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\8iysYFBai.bmp" unimed2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\8iysYFBai.bmp" unimed2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
unimed2.exe8F01.tmppid process 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp -
Modifies Control Panel 2 IoCs
Processes:
unimed2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop unimed2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\WallpaperStyle = "10" unimed2.exe -
Modifies registry class 5 IoCs
Processes:
unimed2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8iysYFBai\DefaultIcon unimed2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8iysYFBai unimed2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\8iysYFBai\DefaultIcon\ = "C:\\ProgramData\\8iysYFBai.ico" unimed2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.8iysYFBai unimed2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.8iysYFBai\ = "8iysYFBai" unimed2.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
unimed2.exepid process 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe 2156 unimed2.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
8F01.tmppid process 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp 3192 8F01.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
unimed2.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeDebugPrivilege 2156 unimed2.exe Token: 36 2156 unimed2.exe Token: SeImpersonatePrivilege 2156 unimed2.exe Token: SeIncBasePriorityPrivilege 2156 unimed2.exe Token: SeIncreaseQuotaPrivilege 2156 unimed2.exe Token: 33 2156 unimed2.exe Token: SeManageVolumePrivilege 2156 unimed2.exe Token: SeProfSingleProcessPrivilege 2156 unimed2.exe Token: SeRestorePrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSystemProfilePrivilege 2156 unimed2.exe Token: SeTakeOwnershipPrivilege 2156 unimed2.exe Token: SeShutdownPrivilege 2156 unimed2.exe Token: SeDebugPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2104 vssvc.exe Token: SeRestorePrivilege 2104 vssvc.exe Token: SeAuditPrivilege 2104 vssvc.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeSecurityPrivilege 2156 unimed2.exe Token: SeBackupPrivilege 2156 unimed2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
unimed2.exedescription pid process target process PID 2156 wrote to memory of 3192 2156 unimed2.exe 8F01.tmp PID 2156 wrote to memory of 3192 2156 unimed2.exe 8F01.tmp PID 2156 wrote to memory of 3192 2156 unimed2.exe 8F01.tmp PID 2156 wrote to memory of 3192 2156 unimed2.exe 8F01.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe\unimed2.exe"C:\Users\Admin\AppData\Local\Temp\exe\unimed2.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\8F01.tmp"C:\ProgramData\8F01.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-4092317236-2027488869-1227795436-1000\FFFFFFFFFFFFilesize
129B
MD5a57b3c564c093730e05b235300bb20bb
SHA1c44ed2262857c1032af918af85297dcec3d597cc
SHA25617b7dc1be3adf4a2f5863e12eb8868232a7966414a2cb4ab53f26a019b7894bc
SHA51217642f92756dea4e8d08749a5b5dfa75c955aa017df3381420a7f246ada1541aa49230d1edf50a30e1bfe3f0550d6f91a39158ada3ff692223a3c1f5f807e81f
-
C:\ProgramData\8F01.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\8iysYFBai.README.txtFilesize
3KB
MD50fa4bdab66c7509e0839c3bcc5ba4b3a
SHA1ffd098f36333679e3da1a8e234428ceaa3ed011e
SHA256a20a54b174acc22bc5c67ad24d1c5f989a3cfe1da5f358ee735bd27e10930879
SHA5128c7967b7b9f20c88742ae0319cda2ed4b3dd6e8505323f54b6b0e76c753d1202984ad8a2e3cb8f5c84aa891d6a171443c91ff700b41ed416a085fe7c970c9394
-
C:\Users\Admin\AppData\Local\Temp\exe\DDDDDDDDDDDFilesize
156KB
MD5c5069ee55e30e7fcfba0cdd882f226c7
SHA16451000e57ad11f8e776fe71ad7f9830b9727c0e
SHA2566824bd894a1ed310200944004be66938690414d9c71664b70552e8e200e4b34b
SHA512947403c955a12a4bd6a33835e7eb7d6561c7af2b565e264dd60f4aa0f1b4442180155c7e89dc829c8cb019b6a4dbb805e3a8b317d55f3b51c52f71e83339708f
-
F:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\DDDDDDDDDDDFilesize
129B
MD572b49360e76291d55da81c358bd9968d
SHA196fdb12ca3c533ff9dde65e772456ec9987e1e94
SHA25638e593bcb1c7509376b864f89cef0a07cfb9018230097b74a0be32488b670ff8
SHA51231290f698d0a8d631ced4941c0221e4da95b3ac9b80f211507f8e8804e8b38397533a38553ce842ca3dd6a86a8ddbe18063b5e5325a0b6545f02ac5c68353873
-
memory/2156-2-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/2156-1-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/2156-0-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/3192-312-0x00000000028C0000-0x00000000028D0000-memory.dmpFilesize
64KB
-
memory/3192-313-0x00000000028C0000-0x00000000028D0000-memory.dmpFilesize
64KB
-
memory/3192-314-0x000000007FE20000-0x000000007FE21000-memory.dmpFilesize
4KB
-
memory/3192-315-0x000000007FDC0000-0x000000007FDC1000-memory.dmpFilesize
4KB
-
memory/3192-311-0x000000007FE40000-0x000000007FE41000-memory.dmpFilesize
4KB
-
memory/3192-344-0x00000000028C0000-0x00000000028D0000-memory.dmpFilesize
64KB
-
memory/3192-345-0x00000000028C0000-0x00000000028D0000-memory.dmpFilesize
64KB