Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 06:32

General

  • Target

    cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe

  • Size

    356KB

  • MD5

    277068c3d1ec38c4712e695eeafb6a9c

  • SHA1

    92c495cd8f63ddbc7e28efc33246b20bb4fbe2ad

  • SHA256

    cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d

  • SHA512

    f620b16d9b5b074d784d5943989fce40b8b68ec152523dbf7cc7daf4a6c7acfe18809f868593081a8e4bb9f4ae4e67ce63843f8c9a068d557e63ad2da31aef88

  • SSDEEP

    6144:/ulLZM3j7QmPbWDSKwNhzygoEwto7J5OWm0+/WXHhQ3vgmqA8Oi4qQ79xJSQ:/eWHBWSZvzyNe7JMFuS18y59CQ

Malware Config

Extracted

Path

C:\MCgwFy7Y6.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 9FB63E6DF12C7BF7013E877C889F8471 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Renames multiple (592) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2196
    • C:\ProgramData\85BB.tmp
      "C:\ProgramData\85BB.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\85BB.tmp >> NUL
        3⤵
          PID:1404
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:2772
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{60FE7DE4-136C-4B79-9FAC-5C9B528C18D5}.xps" 133616107638780000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\AAAAAAAAAAA

        Filesize

        129B

        MD5

        d0d5518fa9be03a66f848dfb54d9f7ac

        SHA1

        4cd6940211a3a68d18e42a49f25b95a7a3df7c0c

        SHA256

        3f2b768fbb6b25a71be528642703ea28002fcc944e1966bc95f57f9085926c9a

        SHA512

        8946324049a4bc131d0ae4bf564f0a29213f843f00f57019937c5b9249c5dcceb3e808e0b03df72d40f8d215190d2820ce606b8985ac4fe61cc279012273726f

      • C:\MCgwFy7Y6.README.txt

        Filesize

        6KB

        MD5

        8546c4c2613567bcbb9afccb46bd1b73

        SHA1

        171b699f856238f09cfa9dea5862c8484f28b17b

        SHA256

        0c97f5f8f8905dff541acd96a4e57ff687b15f1c56b94aa27f773c6bdec9ebfa

        SHA512

        466b18c891ab987226b5be5af4f10609131ab774296dd3c446eba2e1b129f022b1b0db24a1fbd8842dd391fcad51e9347d56495ee98a3790af8551995926643c

      • C:\ProgramData\85BB.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        356KB

        MD5

        45730945b138e4fcbd299ce67fad276e

        SHA1

        aa42b7ada933fa9736d8e3a530fd121d3bf4ff69

        SHA256

        c6b8cf03832386a95c7cb66ef8567611bbcbd6de91a3de02c9723805c5bfc461

        SHA512

        9ae4ac223be88443eb014675d0133d6fb131293af43b1b83bcc248dda5e0ae0720c9688e586bceb01c2c280a13994383fd5945d749bfaa2e05e7aff0a914f3fa

      • C:\Users\Admin\AppData\Local\Temp\{EB8B4189-86B4-40DE-9626-5CD0F14B53F4}

        Filesize

        4KB

        MD5

        625a76bf1fc0fa052a2e9259a86c9796

        SHA1

        75ffdffd1cbc114f555ce2d1e4ad801e11813525

        SHA256

        f300a444ad1253ff0c1576831dbe1653c342d979e2a806dea2a1100e5467e670

        SHA512

        3f08d99d87b9ed7c22d9d43026b36ebd9244d655b916d614478636d521a93f1725e03a3b390f531a5b916cd1d6251e02cc344bf66b31143fffa4b2fde369daa0

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

        Filesize

        4KB

        MD5

        c32d8913bb56fe319f21ac7111b63ef7

        SHA1

        9de02eb65c05ee7b9e65f8ee35529227520888e2

        SHA256

        3fc1327ee5ac2ac195ad88fd83f28ff5b533a7914326bd36f35a3ce7a6a03566

        SHA512

        d17ec9c69502be826dc452364ff71d4d21ecb8af68b002951f03c6c33db9f7da22df8c73b31a9957a6a6c86de5bb7766d0189313cf1b8023a1d4e52394c6faed

      • F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        e5d69d2220f6bd6e87b60e4655afdf68

        SHA1

        6282aa1a206fc01fabc0c85835a1b007b63859a4

        SHA256

        5eb7210bb2a58b0ba12790c459af7dcf9e5c8d1b4830783b0ddf39744b83a701

        SHA512

        f3f747de199e4809ac954c735abf21af4a2bc6596c0ec1f044aee89a3f2a76c8b569b922cf46f539717d8ebd3c0d98eef185a40156833894132289209ecf735a

      • memory/848-8-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-2749-0x0000000000600000-0x000000000063C000-memory.dmp

        Filesize

        240KB

      • memory/848-9-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-0-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-5-0x0000000000401000-0x0000000000419000-memory.dmp

        Filesize

        96KB

      • memory/848-2-0x0000000000640000-0x0000000000641000-memory.dmp

        Filesize

        4KB

      • memory/848-2727-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-6-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-1-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-4-0x0000000000600000-0x000000000063C000-memory.dmp

        Filesize

        240KB

      • memory/848-3-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/848-7-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

      • memory/912-2742-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

        Filesize

        64KB

      • memory/912-2743-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

        Filesize

        64KB

      • memory/912-2747-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

        Filesize

        64KB

      • memory/912-2766-0x00007FF8B4050000-0x00007FF8B4060000-memory.dmp

        Filesize

        64KB

      • memory/912-2779-0x00007FF8B4050000-0x00007FF8B4060000-memory.dmp

        Filesize

        64KB

      • memory/912-2746-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

        Filesize

        64KB

      • memory/912-2744-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

        Filesize

        64KB