Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
24-07-2024 15:05
General
-
Target
622F0A32C590C461A03A3CE3FE5D5C81AD3F98AEAE07B3A23C9659C3F0AE3F5A.exe
-
Size
153KB
-
MD5
deb7ef58572b638de10c6c806a0960b5
-
SHA1
72b3d55fac841336eafdd435227dd02f0081ca30
-
SHA256
622f0a32c590c461a03a3ce3fe5d5c81ad3f98aeae07b3a23c9659c3f0ae3f5a
-
SHA512
a425dd875ca1e036709d24459ecbbbe69c462c13d7dc34e4ba0ddd6d0b68bbefc20958f32e45c6dfc0479ae3019951b609bca9a7a2090412aba3098ab018ae48
-
SSDEEP
3072:z6glyuxE4GsUPnliByocWepr40H7zT2s4yqbrvbGC5C:z6gDBGpvEByocWe57fTYPvbH5C
Malware Config
Extracted
C:\6nqxYhlZe.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (620) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\622F0A32C590C461A03A3CE3FE5D5C81AD3F98AEAE07B3A23C9659C3F0AE3F5A.exe"C:\Users\Admin\AppData\Local\Temp\622F0A32C590C461A03A3CE3FE5D5C81AD3F98AEAE07B3A23C9659C3F0AE3F5A.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
-
C:\ProgramData\D7B4.tmp"C:\ProgramData\D7B4.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D7B4.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{52A9853F-4204-4BFF-ADB4-5CFD90F28DFC}.xps" 1336630712331500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5bddac9e84c5159157f4f4ce9cf1431e5
SHA133e112ca7c92d65a5f55957ddd1964fb42f524cd
SHA25646cc241578773d050e4d89b1024022eb1fe27b0c46c885c4b3dc420e47866012
SHA512cebbee91309341b1fd8621e458406cf327c9f141ca891029f6248c2a57c6d0b1826ff3b124c4bd7805b385b06c52a31d29677c06e1ed2903369c1c455b2b8053
-
Filesize
6KB
MD5959d6adb823c5d956eee45542f7e4d18
SHA1d8b630d9d3c27e9dc030510041c7f5bcb9e842dd
SHA2563901e5af266413e48638791cb8046209a40135fa3e02396439b044f4e6b853b6
SHA512b82feec66ceced9a6d159f1cce0b0335cbb86d0c7b5108e1e1c69886f09fb3e7968fbaf270f7eb682feb850c0d7ea2bc247db7b1b0f9208d070f9817e8aa2acd
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
153KB
MD58c0dbe7ab286c114148cd2260e7419fa
SHA134b4caae911913cc1a020a4835195ce8ec17e86a
SHA2560f65d6dd65a7a30062ce8e070d6c6bef81126969fcb1d94ae9489bb3657758f7
SHA51217fbe3d5bb5942dd738ede4dcdb56fffb7bb726844c0cdab61f9fa8358c3eec274668a925eac556587605f115ddf814880ae673f8d409b1a786fc9eec9f08e6c
-
Filesize
4KB
MD5112782ae5b694b5e5e52657146149228
SHA12753c6fc248df3d2e800d1043556b2e7576103cb
SHA256aff902412d0ab5df9792887bd6aaf4fbb5457b1f95e61000458c8a8322b89162
SHA512db6b22c754914909394d1c443856f08f6e825055e5dfaac276bd75833a88077f14e391b2fff739f44c710e79e0d485be3a8469cf7ab31bd98d30e29f4a3b9655
-
Filesize
4KB
MD50e120a3766cdfd1dd10d2a2d587d1442
SHA1f98ffbf3a29f5e0ad02f1f59c090d132fc7a9a97
SHA256251bcc3090a357abf9741bbb9be35c68c28e0a0dd025649601f9a0852640d1a7
SHA512ab600281a37c1d386a6382ae4f0421e3e46abb340799cb47456e35df238aff297b1d2591e4777bdeaf36ae70c24165d3cff80ca6dbea7f56bc4071196b07bb61
-
Filesize
129B
MD54f63389fb88c439b3307556f372fe3a7
SHA10c844ddfa81dfbc03acf8d54ce03ee42a1eac2e1
SHA25632f72dd980a9130e6e340f32040d646096c9bce67ac4ea0e0ca59c4281622853
SHA5123cc741733339f8fc9eaa84a1563eadf3f40ee85598ca3aa3ba2f53f93536d7fd063a0baba2dd954b1a281de8ad3bf2733d8672a1fc9d78d6395a8b2e1d696cfe
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB