Overview

overview

10

Static

static

10

086072e97d...29.exe

windows7-x64

10

086072e97d...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe

  • Size

    160KB

  • MD5

    7e488e4928dd33d8aaf738da2baaba46

  • SHA1

    6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e

  • SHA256

    086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529

  • SHA512

    643e834c0281803f44e85e8a3e50f0795a2f41c1bfdd62873cc509536e8752b736729a7ab6c8af4177ae0bbe90229d31f5fffe1d1d4539b710d9aa94acce931b

  • SSDEEP

    3072:JDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368DCH2C+7cSFaCaqWGnW:D5d/zugZqll33n7CKW

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\gqtDmx4Hj.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: ED45A38511580A644B2B6AD2F48BF643 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (137) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
    "C:\Users\Admin\AppData\Local\Temp\086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\ProgramData\45CE.tmp
      "C:\ProgramData\45CE.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:4572
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1308
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:916

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\IIIIIIIIIII
      Filesize

      129B

      MD5

      f057ed482e3b1d3c88c361343919d83e

      SHA1

      39b84fea39f9de1c70aa1318780c50ad65f53d26

      SHA256

      315224d03c62a1860fb5b7e6ef8d9068875627c40f96972b7f2e39a68ef0c9ad

      SHA512

      4fb1e2a3bc7e5a59d37b8569900ee3775d2d88e6652432bb3ae596e0470d10eb7f1b8ae524aa29c44a4c779b8c5493fda9928dc848891b4c942cf01971f0e47f

      Download Submit
    • C:\ProgramData\45CE.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      160KB

      MD5

      40008b76a3395e5bf9e3bbf747178296

      SHA1

      1d445a428c59a5630dc7180473e95d5865be2fef

      SHA256

      473703a3df54f80f5c72a0064d3231f88c3c24af42d5498ef1383f4366849cde

      SHA512

      2e1b4ee826b9f8162005dea38aff14f01dc64cf5d201e81e490103530a7bd84ea269a2d52b6090bd535d28749d7d26b88136cb4bcb7b4c89bc95b5a81f4b6669

      Download Submit
    • C:\Users\gqtDmx4Hj.README.txt
      Filesize

      3KB

      MD5

      f12fbb8a2ce7262204c5ed78a01ef4b8

      SHA1

      f91379e00ca4b8ebda53aa352401680ad41852e6

      SHA256

      3923b1abf91e323d1922a5f0e1b6e7d9bca900805c7bc52415210ba848f6c701

      SHA512

      a825f7bdb7698f60d2b310e148845a83737ab47a605ca7445c90188bdcc5d987992e268258d79bd485d3533081cad9ed28f2583cbcf047e34c33df1e3ef2a4c2

      Download Submit
    • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\CCCCCCCCCCC
      Filesize

      129B

      MD5

      83548d9f6f49d53c8d310d73375fe933

      SHA1

      bfac54b0cbc8f59ea62d9cf97e0e42c902f39f61

      SHA256

      3afda081246ebcc3c95c6ffe152b44b9d990c536b83574af96ecb720f66a0d2f

      SHA512

      7ef0b5efe12d9e552d6a764e4be9079ac45b343f46210c7edf8de96e949fdb19478c2fedb2431faf4ec4fa07cf2291977cdcb3f2b257d4caad384506d92a8246

      Download Submit
    • memory/3708-295-0x0000000002F90000-0x0000000002FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3708-2-0x0000000002F90000-0x0000000002FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3708-294-0x0000000002F90000-0x0000000002FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3708-1-0x0000000002F90000-0x0000000002FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3708-296-0x0000000002F90000-0x0000000002FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3708-0-0x0000000002F90000-0x0000000002FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4572-297-0x000000007FE40000-0x000000007FE41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4572-301-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4572-300-0x000000007FE20000-0x000000007FE21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4572-299-0x0000000002590000-0x00000000025A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4572-298-0x0000000002590000-0x00000000025A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4572-331-0x0000000002590000-0x00000000025A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4572-330-0x0000000002590000-0x00000000025A0000-memory.dmp
      Filesize

      64KB

      Download