General
-
Target
2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66
-
Size
146KB
-
Sample
240703-avtvesscmj
-
MD5
940bdaaaf565a64839aa869ddc4b95ae
-
SHA1
2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66
-
SHA256
0bbd59147cf0893d16829d705dcb6bed82487efc77c78fb17c1f2dcffa08875e
-
SHA512
10ff50e837725dea0dd1ea67153120455853dacca6e5b330197c81101161c96bdfbc2a84c245cfa24a86786f4851d1bdd184515fcf42e7de8e0b6e63a09f691c
-
SSDEEP
3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVc:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMc
Static task
static1
Behavioral task
behavioral1
Sample
2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8035FC5C99ED2F24AE8889D508FE35F2
http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24AE8889D508FE35F2
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8035FC5C99ED2F24AE8889D508FE35F2
http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24AE8889D508FE35F2
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8035FC5C99ED2F24BDF9D85B65DFAB91
http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24BDF9D85B65DFAB91
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8035FC5C99ED2F24BDF9D85B65DFAB91
http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24BDF9D85B65DFAB91
Targets
-
-
Target
2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66
-
Size
146KB
-
MD5
940bdaaaf565a64839aa869ddc4b95ae
-
SHA1
2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66
-
SHA256
0bbd59147cf0893d16829d705dcb6bed82487efc77c78fb17c1f2dcffa08875e
-
SHA512
10ff50e837725dea0dd1ea67153120455853dacca6e5b330197c81101161c96bdfbc2a84c245cfa24a86786f4851d1bdd184515fcf42e7de8e0b6e63a09f691c
-
SSDEEP
3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVc:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMc
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (9316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3