Overview

overview

10

Static

static

3

2e5d02c8ae...66.exe

windows7-x64

10

2e5d02c8ae...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe

  • Size

    146KB

  • MD5

    940bdaaaf565a64839aa869ddc4b95ae

  • SHA1

    2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66

  • SHA256

    0bbd59147cf0893d16829d705dcb6bed82487efc77c78fb17c1f2dcffa08875e

  • SHA512

    10ff50e837725dea0dd1ea67153120455853dacca6e5b330197c81101161c96bdfbc2a84c245cfa24a86786f4851d1bdd184515fcf42e7de8e0b6e63a09f691c

  • SSDEEP

    3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVc:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMc

Score
10/10
lockbitdefense_evasionevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8035FC5C99ED2F24BDF9D85B65DFAB91 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24BDF9D85B65DFAB91 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8035FC5C99ED2F24BDF9D85B65DFAB91

http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24BDF9D85B65DFAB91

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8035FC5C99ED2F24BDF9D85B65DFAB91 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24BDF9D85B65DFAB91 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8035FC5C99ED2F24BDF9D85B65DFAB91

http://lockbitks2tvnmwk.onion/?8035FC5C99ED2F24BDF9D85B65DFAB91

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (6396) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe
    "C:\Users\Admin\AppData\Local\Temp\2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4188
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3556
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:828
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:760
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:4332
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
        PID:5720
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 1780
          3⤵
          • Program crash
          PID:5420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5828
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • Runs ping.exe
          PID:5860
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2e5d02c8ae01a8f66eacdb81a8ff1203dbed3a66.exe"
          3⤵
            PID:5528
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3628
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:996
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:4904
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:1396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 5720
          1⤵
            PID:5548

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
            Filesize

            1KB

            MD5

            651471bdaadbee228c70c37118e00ca9

            SHA1

            71cb87c4f07639afb204b28cb84e5ef5fdc5eedc

            SHA256

            9433e52dee59cf3795788970da0410d3245320c7a24b87a0029a02c2f69b6b4e

            SHA512

            6003116e4112a03558a41374c5679ed3af784f3ef7c545b023853042ce66be3fee28ee84bbeea8044e29ef5b517aa8636faad493bf2666c60b4a17682f428b4e

            Download Submit

          • C:\Users\Admin\Desktop\LockBit-note.hta
            Filesize

            17KB

            MD5

            6ef410abad8f312f3c110383f490aff7

            SHA1

            76342c68037d3d32e26188e9c7fc5571c5fa0481

            SHA256

            4cbdae1f1460e3a2ab2a1d8330ca534f67e16a347cdd732ffb2c23eb206b7867

            SHA512

            96f635f99bc5e0148a5cb21547a405687b3db54c51068d1ef053bd3ccf4db3277519111daa1c21757b554b717faa32022bb8146d5968a6f6db1f877b2d802985

            Download Submit