Overview

overview

10

Static

static

10

086072e97d...29.exe

windows7-x64

10

086072e97d...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe

  • Size

    160KB

  • MD5

    7e488e4928dd33d8aaf738da2baaba46

  • SHA1

    6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e

  • SHA256

    086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529

  • SHA512

    643e834c0281803f44e85e8a3e50f0795a2f41c1bfdd62873cc509536e8752b736729a7ab6c8af4177ae0bbe90229d31f5fffe1d1d4539b710d9aa94acce931b

  • SSDEEP

    3072:JDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368DCH2C+7cSFaCaqWGnW:D5d/zugZqll33n7CKW

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\gqtDmx4Hj.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: ED45A38511580A64F2DEA9B979A7CB9D << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (194) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
    "C:\Users\Admin\AppData\Local\Temp\086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\ProgramData\4B43.tmp
      "C:\ProgramData\4B43.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4B43.tmp >> NUL
        3⤵
          PID:2292
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:848

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini
        Filesize

        129B

        MD5

        8c103af87bd13aa7cacb03ea9de7c850

        SHA1

        84158bd4ca53bf89d1215db46a5a15866cbdc639

        SHA256

        528dbcc7c7efbbc101a97ff6ac9bbf0beb4216421bf2c1e5c1a835bc8ffd75b7

        SHA512

        facc827a679698cfcec8bda18e509a5599e73dd4bfc00121ca6281daf4f8301dafb959db01ea57edd136327b11aac11d55d1f4e8633fa20f2a06bfebedb15794

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        160KB

        MD5

        5830b1ac634d2123fcf3b675fdefd130

        SHA1

        790ef33a35518a2020197df3c06d4f1e7d0dcea1

        SHA256

        88e07ebed32e7ee34377138b240849330db10a4b98b8ed30fa37d9f5c6b69591

        SHA512

        1d61f5029ea8fe43db24382b07adc2f950bb7b8b9ae955d011ffac593013f288189686838ffcc6d84a065b85eefb530e375eee5971087c17f572f00152329516

        Download Submit
      • C:\Users\gqtDmx4Hj.README.txt
        Filesize

        3KB

        MD5

        4201483fd14926c39df9679a489a0e1a

        SHA1

        c3bcc611f340814fec90b4064cd4a7c33d14a13f

        SHA256

        45f7160b036c271e7620d3252b1acf7ceece40d210268bb1b01ef7d4fe4e8cf6

        SHA512

        849ff7bba208a334d18d15cc82074a16685f1e0be59881437f7891dba6534bebd864bb55b7a29756c18e788f4a0945a1089ef1e2850c960b63de2da6798021d1

        Download Submit
      • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        7fe55030bd2312fe538c986e7f5581bf

        SHA1

        5413074ac968dfa5a6b67a346f956a50e41cb887

        SHA256

        c741afa3d017fad8f28c4a562daa8ce96b0c02f9b8081356a8bcd7b0dde320fc

        SHA512

        7513f9b0a70cc38dfd201dd31c217c5f46c99fead23c80520483ba1c77a74cddce2810d29fb220d8c58ac1ae6dc5ba88d218ce4ef6f61b570db71e36131e1428

        Download Submit
      • \ProgramData\4B43.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit
      • memory/1136-324-0x0000000000401000-0x0000000000404000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1136-326-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1136-355-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1136-358-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1688-0-0x0000000000CA0000-0x0000000000CE0000-memory.dmp
        Filesize

        256KB

        Download