lockbit

General

Target

22d0df8206901ff34b5ed481cdcd8d9717e2e5ca6d1aa5173dae30a9be83b5b5
Size

1.1MB
Sample

240531-kd18aacd6y
MD5

7de6f61e666acad316d991ca70e6f583
SHA1

7d6d076a0b08118bd86eabc2ba4b2fffdf0043b0
SHA256

22d0df8206901ff34b5ed481cdcd8d9717e2e5ca6d1aa5173dae30a9be83b5b5
SHA512

19a3834ef194e7c539d9f339caca0862b10ecb017b75ea64b0b32de36a3b451fe11972df6a3e90da70e968e0f78ad5ebb20e6837c0d736b408f568ab797e2420
SSDEEP

24576:tOafo4yJ9RyvXgF1yt/uaN75aClM/r1hhBrLp+cyReN+CNITs9Ooy:YaQf92yyHfU3hGcyAN+CNF9i

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 0102F09BDF6B50378F281EF9034820AE

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 0102F09BDF6B5037B4357CC630D46855

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

- Target
  
  22d0df8206901ff34b5ed481cdcd8d9717e2e5ca6d1aa5173dae30a9be83b5b5
- Size
  
  1.1MB
- MD5
  
  7de6f61e666acad316d991ca70e6f583
- SHA1
  
  7d6d076a0b08118bd86eabc2ba4b2fffdf0043b0
- SHA256
  
  22d0df8206901ff34b5ed481cdcd8d9717e2e5ca6d1aa5173dae30a9be83b5b5
- SHA512
  
  19a3834ef194e7c539d9f339caca0862b10ecb017b75ea64b0b32de36a3b451fe11972df6a3e90da70e968e0f78ad5ebb20e6837c0d736b408f568ab797e2420
- SSDEEP
  
  24576:tOafo4yJ9RyvXgF1yt/uaN75aClM/r1hhBrLp+cyReN+CNITs9Ooy:YaQf92yyHfU3hGcyAN+CNF9i
Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2