Overview

overview

10

Static

static

10

2024-06-12...it.exe

windows7-x64

10

2024-06-12...it.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit

  • Size

    140KB

  • Sample

    240612-a4gapaxama

  • MD5

    adee08d1d86e361d08ced8adc8ab17dc

  • SHA1

    4ff5efcf97516cb1ef4c07fc04bab0d3b9fc1b6f

  • SHA256

    1d79d85948aa4c62b8367f233b088d9adb00915475a559f7e163e12edf9b9ccb

  • SHA512

    34dc8efffd83294103007003c4f95fcdf0cdb40d8f8036c6f7413bf8711a7e475beea1ca599103ceeddfb3c1f3e00985923233117f4684df3dcea02a2de04d10

  • SSDEEP

    3072:iU8E2JPpYg/GGo2l+mL3iUfqMqqD/KqEA8PC:QE2pHNo2wW3r5qqD/2T

Score
10/10
lockbitdefense_evasionevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\jre\lib\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! There is only one way to get your files back: 1. Contact with us 2. Send us 1 any encrypted your file and your personal key 3. We will decrypt 1 file for test(maximum file size - 1 MB), its guarantee what we can decrypt your files 4. Pay 5. We send for you decryptor software We accept Bitcoin Attention! Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price(they add their fee to our) Contact information: [email protected] Be sure to duplicate your message on the e-mail: [email protected] Your personal id: PVemH9OeNwCmqXsZmZnhsS9BBlglYH66KybfrzGp7VyEO7GS+hkW4qIyHthqZgjV 93VWpNuVXJQpBMOwuiWAYpOJy8Jzf9qd2oUage1KwFaGwIq40wziRsKLh2H3Ww4L OAkX+WXoSIY5RT31kUQGNqa1KbI8aSfDmDO0vlHad7ju0YUkN5GvION/LC1IazgG 3ugiRJgQ6oR2NoG0ts3xuLLaUGp8reOBGYm9MB2fY/qG3VQsPNsrae7yy9oTYyiV bLm6H1k8k7L/ZF4HcyqCKfXLEGUL8XLQ4Oqv/DvGESxLILQj25xbl7+VCvjPezti 5BDQI/pD3qkPeVjnKflZvBmWIs0L0UXV3GMXWaiO7uL/6hJxmsmWYK7ixZlp1683 w9OKcq9+5OeiN3hAoCHLI6xbP5uPqiJNYkyzhHrpF9KWuOI3uM16fK2wgWL6u26j YK2TI/iVqmQ3el1tj8aY8aLDgrLsAQP8tLmq1hhkmGjfnVogebD0nFiky8PyOUg7 9WsiLPVcEac9Y5IKXgF9got0z4pZJ73WODikQNImKh2yhoTXG8Td5pXeYCRAcyDA tvE7NY+YcOzHuPhsSeUU0o8ISRzIcdyS/xN5kkCeRBvOdJuslqmFE8S9e9E2tpWP vgj5iFdvAb9D6qysUp6p3AmI8vYM3qpO6JHR7mXFshQYwFwvB/CGQuhQLT6c1JEc TWsLt05rZWU0oQI33hG7P8rxanDE6kvSnQxgL6g1E0Vuz8to/NMVtilPIvbrhr5Y BIQsR6GYG/O+AxjDp95iUW5JF4VRFkw0h0plfVxnQCUdu1A/vLkIcGUTu4MAO/8b r8HN7d2Won/yPWAnmxST+5lNVxjewqXhmXHXpTEDWiboMXdQ6WpgR7c6ZrT9lMpd AGX+303EY3LuYINmrflxF13SGTCxQt5lrNvkEBzeVHR6UTJLOdSMcuVNlXZXoq/B DYGdSeLEUc4aoPBK0nC2KKw0MeWnaa24PAJTLUDq/kX3dbMj0JzC1Mfguxp3kHzF VZLKgaY+szECOxdbvE1KKnVvnxjaIeBPHADRpA4BgsfUp5vTdiTTUJpFjgrYuUR+ eBWrgvkGT5cnvmXFWqPQJwqMht6k5Or6lfF032oCOvQCRJQXROjYn7Sam39wMBy7 qXg14ojOt5viRerkrAuyS01qbApfreMfVMku69xmJQ+Y3T9pFI96GClCi7pgGgVx 7UR+XwI9JMZhR7SGzDOVOmmlldfzOu/m4C0aerTDF/x6I8WaeVbDyi94RkFZx92R Zkgaur4l/6SR0JOxjghYN5M5NB3Gv8mMI/lEm//4S4YYDHQ+GQTYxfvAb8iOXWlz c5qRwrnVdKg0+YOYcuKqOT6oCrMBALKWHUd87ZCrtNUjiqJbJKhNv9ucPNbMZSoj QixCODj5jsJ0+p6ppC3CqtPl2OXGAGN/HO/OOonD9nXdi0qbX3j4G4hgYfU2r5rv lpzPwXqCYkEySGfYr9QgBb/y9RtBs5JgaC2PtoyPfJIylnQZ8W9xQOOxrJ/U0o5q VS+SzYEvkuAGWHtFw9MQj383yi1NnWKZWjgzZVop2pJpskvTsqybNlTu6crOM9sR Hn5jnCKE1wkkbml/US7d3FmlbW/3IUkFwt5XbjvQCTPWBPLvSnaGPY5jtM+3EQTh 3Lwsi8t2ySidGc7rYIoRHTenwA1fOsZIwxhvF458Gwg=

Extracted

Path

C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! There is only one way to get your files back: 1. Contact with us 2. Send us 1 any encrypted your file and your personal key 3. We will decrypt 1 file for test(maximum file size - 1 MB), its guarantee what we can decrypt your files 4. Pay 5. We send for you decryptor software We accept Bitcoin Attention! Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price(they add their fee to our) Contact information: [email protected] Be sure to duplicate your message on the e-mail: [email protected] Your personal id: Y6XKFIo0P4S8XNCAzRFmPa2mDoopuvc0wcZLrVnCZ1c7blSLPc5eGKHG4zuKtdrR pYM+rJ6M5EI/Mea/79sgDV5Uer9gpYZxbsqlSTDYm7Y73rsOmBNVsCDD2VvHhCIf zEIKtdzN+igeSWcrTaU407al4bxb6605TndI7gpRJZatenPQUPuz+ABO2NnqxyrB AWRi/jCPYD1VbzkB173Lfj4GF8b4SO//sVEdaNl8Rlv092gJIVaC6Hss3+D0UJiP FH49Eaxw2vEw3Vcy4NzdJoUjtlWWjJ51l2+C6D/vAc+fUoLp16C25j7wNQ8yXnYu 4Qn2FGttb5BZdmg0wQwEvGmSIKaw3oZ2TGfBDXqSrlMUxYNDqJBLqipq8h4r6GeP hPCnWYDpEW84Hibfebovq9RY1W4Y2QKxTfzO2IEVnlIjnkAacQkaEQnQlXX0QiPC YgLxJrqexni98npqwSfXADd0l+4sHXbWwjbx7AGGPU7LkpNmrOttfsDvVO8rX76Y Ts27NaAUbpbr/7Zp/HutpHEnJYSMauBEt6RqgNf5oHefzjcCEwUkjPA2IuY4dLU0 JJFlzpypQjT3eNceAMfKhfb6j5kdbNKGiU3gKSTR70MhpeN4r8VqWds3Mf8E9yBr I4b+jguJUlYhgn8tHgqa2/rBaNAPggpVRibRE+l55rZAJACMm2BDDh+7bt+4iFJX sExFh8fOC/HKYvjYT/z6mOyXhompEK9CxHxMbUmxGwXEglbCGDeXMT5D5SK9oRos 4ShFn8Z8qk7exCE1qrMDHsEpSA5bRKTwlzfzT3CA4tYUOEsHlXoW2lbU35qFZJE+ t+5vJekUO4WPjilVFus64IdicQt4uu/rcWoDWEiv341dmsUqjs7uRC6fcfDSKfjw 7H/A7JZIA8CnBhrAZddwZRHLmVz45jezL1JzfUx3QFLqCgfBobcLFxuB83kBA8sB 7hzSntIoDv8L0HAR52GTP/orCjZxnZgqrsZLlspoWoVmTxtolZFWqjlsmB78H0pL GJDh4w0fihNuexIw50mzxdCgdocOm4jvbdIxnEXjcbAbkBc5xTSsPP7msT0WBI0a zKKuSiF6YBIzdvXUUfhcxQecZt/BJyu2tGp4k5VedrJqDPOlhh/sb4PcDmYajxFW v+6bGmiukOTCyi+h4Yo6dHMxm9E16TjU8bXbi/9d9VkR3qenqcSndX4Hfu/zKuZy en0XGMbEJ38jjOO3ChVtG0p7LZdkmh0LhVqf/NUI3P6j6ccnxc5yy7M6IOM6oQWZ 2kmq/v3fB/r2m7SyS3eIXvq95mxihcB6mEJeiF3RWxo+xC6CmK4q18dm4CtwmRH6 Y86EI3NswVqVh425etGo/AtqbQhwVbYpBetRuywc1sSvt4mK9vvYUEgF1O1YBJDT KyDxWySgzDs8wnYRjZWN2NYg5Dz9VQ9+z1F1d3mVCGyGBK0SeB+kM8I2OZeP6M39 F2BkJogvcJxJBp6w5meNnFcrOHJljbkO/2VXfhIINQZHOwJG25z8xvzbcZC6pdR7 SX9c+9TzEWdXFyd98ocbwAw0pSyYtheWUxHbX384Pum3msZCemXMLQv3sxgGWEya g+HnSgnDTDNeAcmreMlBvMG2n/n/xm4YapYb6TE63I9CJ7iQpspfgfv6+mldyWAg 6Xe0dBYxcPwzLNwxnseKbMWX5y6X9UuWYkgsOE59k44=

Targets

    • Target

      2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit

    • Size

      140KB

    • MD5

      adee08d1d86e361d08ced8adc8ab17dc

    • SHA1

      4ff5efcf97516cb1ef4c07fc04bab0d3b9fc1b6f

    • SHA256

      1d79d85948aa4c62b8367f233b088d9adb00915475a559f7e163e12edf9b9ccb

    • SHA512

      34dc8efffd83294103007003c4f95fcdf0cdb40d8f8036c6f7413bf8711a7e475beea1ca599103ceeddfb3c1f3e00985923233117f4684df3dcea02a2de04d10

    • SSDEEP

      3072:iU8E2JPpYg/GGo2l+mL3iUfqMqqD/KqEA8PC:QE2pHNo2wW3r5qqD/2T

    Score
    10/10
    lockbitdefense_evasionevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (7482) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks