Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 12:29

General

  • Target

    430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a.exe

  • Size

    1.1MB

  • MD5

    bb3f13a877b7bce490965d5be1abbeb3

  • SHA1

    f4068d17e85a99a869c99d36c6214c34a1c067d9

  • SHA256

    430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a

  • SHA512

    53d6c98cf387dd73a844cf853aa1b5b1b4ab0934e3da2f5e1d6eb55b4173299a885e7ba295a16930b2bef8747f086f45991334a65b5a2455fbc12ca5b95effc1

  • SSDEEP

    24576:GU2Nmt559j0wK0LnOsPSC34+iMxdzjFA6af6FKRR:GUB55apKD7vrxNaB

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\lib\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: AE664DC084E03AFD21C9EA370B154CA1
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a.exe
    "C:\Users\Admin\AppData\Local\Temp\430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2512
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:888
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • Runs ping.exe
        PID:1292
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\430492f325292bb007cf8913eed4d042ecabad89aabafd34d3be375016e7795a.exe"
        3⤵
          PID:1744
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\db\lib\Restore-My-Files.txt

      Filesize

      512B

      MD5

      175ca10a5bd17ff5b2bfc295ff4d0a8b

      SHA1

      ed1d3da1ea7c0af7e9cef8777ed706ce29065efb

      SHA256

      0a4c2635d7f52264deff2ac959cea12e195861b1257b235b43cf9726f5027241

      SHA512

      f016b610a54dd5e60b51a58025085a5f69194c3e962233ba2faa1e03e535826323b6510e8e77d826d56ea25dfb948a8823c93cd42012f350ab6177f634331c06

    • memory/1972-6-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-2-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-7-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-0-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-7641-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-3-0x00000000003B0000-0x00000000003EB000-memory.dmp

      Filesize

      236KB

    • memory/1972-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

      Filesize

      4KB

    • memory/1972-1-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-5-0x0000000000401000-0x00000000004E1000-memory.dmp

      Filesize

      896KB

    • memory/1972-7651-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-7652-0x00000000003B0000-0x00000000003EB000-memory.dmp

      Filesize

      236KB

    • memory/1972-7654-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-7653-0x0000000000401000-0x00000000004E1000-memory.dmp

      Filesize

      896KB

    • memory/1972-7655-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-7656-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

    • memory/1972-7660-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB