Analysis
-
max time kernel
155s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
05-08-2024 14:12
General
-
Target
d.exe
-
Size
162KB
-
MD5
628e4a77536859ffc2853005924db2ef
-
SHA1
c2a321b6078acfab582a195c3eaf3fe05e095ce0
-
SHA256
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
-
SHA512
aae3e3e9b12ab7389e5f2eac89b2a306c4d2b91bb4204f83cc7308a83c3dea88bbc2d826546c886fd580c01245a6be5c0aefcd93936daeecb3614935248de5f1
-
SSDEEP
3072:o5uyulsHwDV1gFnTwn7zwJGJ+3t5kCI5Gzei3N2VzRmK:o5uZ1DPgFnk7EJwaI5gDN2VVm
Malware Config
Extracted
C:\Users\HLJkNskOq.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
-
C:\ProgramData\7C84.tmp"C:\ProgramData\7C84.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7C84.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{58E485CE-19CB-4038-AD1C-7E238254C2D7}.xps" 1336734075423200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.0.949888961\221631964" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {815b1f12-d5d8-402c-9942-2e678f14b03d} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 1764 165d1a16b58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.1.218658457\973837098" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ded5d7d-ffac-457e-80d1-69725f8ea4c7} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 2120 165c596c458 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.2.282016319\78338548" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b284ce-059b-4a5b-af80-e7911037b01a} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 2980 165d4bc9158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.3.393943165\290926521" -childID 2 -isForBrowser -prefsHandle 3244 -prefMapHandle 3272 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efdd11f4-1a7a-4c79-9174-1a1be341102c} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 1296 165c5962258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.4.1966000968\1855330308" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea33b947-8de5-4fb9-9dfd-00505860bd35} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 3748 165d51f1758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.5.2120728992\850047940" -childID 4 -isForBrowser -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b8883d-bfac-4d0e-8db3-eef9929e04d8} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 4824 165d65e5858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.6.1775709109\1409681713" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbde9440-4688-4a94-9cb1-e5aa32451b44} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 5020 165d6d3ac58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.7.604885478\783005792" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d8c6132-26a4-4348-829d-9b9ecd5d1289} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 5204 165d6d3a658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.8.1433417040\1657177263" -childID 7 -isForBrowser -prefsHandle 5516 -prefMapHandle 5540 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c2ab3ed-1a9f-4c7a-a573-8c3f7a1ee1ce} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 5528 165d4cd4a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.9.313059803\1166566435" -childID 8 -isForBrowser -prefsHandle 4956 -prefMapHandle 4960 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37fafa1a-143a-4c0b-b900-2a6880eb6f93} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 4588 165d6d38558 tab3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50a7731b8fc52d654dcb273c9669df2b1
SHA112457a970bf2a25e368f2371c8e9bce0cc65f289
SHA2563a2d1c1b18dfddfcaca432fe233bc1ec6ff96bdb2810bdc424ec2ae7a957f75b
SHA51228b5c98d6ca2d3514c5aa6e8bd45dfb07ca4fdb7143baa4bd3b191ec18d64b96e245771f56e457a5a57c034be3cec4a8e77a33de4b560017a3e1f81b3478f003
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
162KB
MD5cbb5ad77381679fcc23a03f3d00eabb7
SHA157233a8aa25de0167d18406acc58c200d5c07bd4
SHA256cf9c188d4838629457ce14cbdf627a0a7f5c902b5e9c106cdc9de5025afae3a0
SHA512dbd9d6d04722ab7ee662d4c8f25e4f25265f473b83bc2c30d0a2394fe868b7cfc44b80f1a099218ebe8251f953956db1089cf4fc527b71ce7c2721bd7155e37f
-
Filesize
4KB
MD5b6229ee292dac5bbdb7819f75ecfb491
SHA1981a5269c86c04bd49fbb966116fadc345f40697
SHA2564ea1d6278b0d1f1ee64aca8c380afb7fc6b7d3ee22a8f4b8329ce40d6ec3edfc
SHA5129dda8c870a848fc9a5ed6d82b84dcce6424b22d6be4e525d173a5fa2375e36591c81e415ced435c046ecdede70d20d842c6242e830ea3e306c9877917b9f3273
-
Filesize
2KB
MD515851edfd604ed38b1790a17065beb45
SHA121415d41f605b27221e102763adb56e8e440a78b
SHA2560cc2b71a5ff86c9197093aaeeeef535e43c4ff0e4581a4927960c10f333dc82b
SHA51287484e39526e8c8c4e92cfd998c0b810d19ba06b9c9a21850dba9580e0c288cea7ff5f5d91e96cd2ba2f83fb269b88a79ef113d41366181ecb3eae14633bd338
-
Filesize
746B
MD5a1a8b6e0115500daaa37355aa1d38ced
SHA1ccb02b0d42a1f3d5136be634092738eb9d87e98e
SHA25666917533a39f70898abd83c84646ec8c56d489d40cfe6cbdaf7d0ec5a0044870
SHA5122c0d68251b9b839242ebd068c565e79797dca3f4541028be757165be2140a507155ec041fa8d254bfe6817264aab47a619dc1920f424e546e1df0c479055c325
-
Filesize
11KB
MD5ac937ca1ce9b1c2474f4b95379100675
SHA1e16a2e5f6043d5a0828ac82495537b675d2aa5e9
SHA2560f90cefaf83d9d4dc926633a4cc5a48a468ea3a7e43ebd07f12a911c391cc382
SHA5126ede0eb9745fc9801620c4d7781c8ca0db31f7bd6436d3027e2c113bf8fb01b5cdaa7680141afce7dac26335a276685b34d08e3d6d16125c0270c16afb25a9df
-
Filesize
6KB
MD549df029c41d6a1bfa0b7873d7a9d2134
SHA11647c4d3cf9d23f7e5a9d08c434fcb78d6178427
SHA2561c313763e59ea48c537aa4b28209cc949fed47a95e2e511620135874cb0a3018
SHA5122db8a58839d20591a2d05be4f7245ac92ebfaa2d7e7df895564161edd85e225d65f7997dd260b167565d42deddc03165f9ddeb00107ff506f0bfac673608c98a
-
Filesize
6KB
MD51efc1a6fb6a379eb78d9df768db866b2
SHA15a97e01207abb3db33602eddd0816aa518c87238
SHA2563423bf4c1181949521ad42008c6b9af0709e2fb30232c7e367dd5d2835764c56
SHA5122d346f83fe3e559013c5637a2232c2bef39f7ac8aceda26ca5ca8aaf390ed9f588fd85c7841123ed7bf97bc42d677ecc5b1384804d58bca16bcfbb2b443c30a0
-
Filesize
6KB
MD5cb221f95e03a5023106619de1a04b836
SHA1980eba66197f51139965da05ad7e59209b95a5f4
SHA2562b071970507bfe1a369ddb927fba5062f6a818268f5854184f7c04bfdc98bb2e
SHA5128f05ac29caf91cb5c8c550a71515618be08b0851928e5522ba5d9b6ce5d12a6f190886fc486830f87cf885dd9c1f4039bf3d3ee1cbfc49e76c23e667585afe37
-
Filesize
3KB
MD5199dff4dd325642438302b7849cf41fa
SHA18252119fe79a074dbaaf3d9b6965bad7db641a88
SHA25628f325c34f23668971c0da650568262ba1acb134cec7eee640bf9c9941abb32e
SHA512e008b14bf006c63f2a2230df63d1cd3cb921c23f98ca778bf71d75adb098ffee7cdbde5010fa2f23859e8678484c3e85d8dd4d8731ade9543b2f95d5b4e2a70d
-
Filesize
33KB
MD542cec614bb39c5f759dabb8218ec7974
SHA1d9c1955b0f50993889f21f96f3c93efca7aa2210
SHA256d12820484db0e1846034396f029f69738fa5433a83c2dd48f41cc8fcee611e40
SHA512de8c19f810a263cf9cd9de1c3d023f72f09827cb72c88a180f16c46867ba5991ffd7e2721a8a63c57914c82474393da42f6a9436fd5c0ac396d5b0729f366123
-
Filesize
34KB
MD59231d815af8323a061e3fa8a35808509
SHA14623d93ed487f3d7cf0f26a2319cc622e4b0bd0e
SHA256b9a833f9dfd42e92faa333a020f672f2189146a8dae8641c6a44b7fe8d3225dc
SHA512be845a751cf1ed8af5a662595fde2d08015748af0b1fcef8c60bc545feff5c604e0e26291d5c135013f82993d6bfa56ccb7dd3cc3a436e3750d8446171aa1c24
-
Filesize
4KB
MD5c487bc8ec03abbb10edba946b26741b7
SHA169d3741a60ef1b97c5f49005ccfddb5183c0bb5d
SHA256df28f78eff9a788da10fc8222e04dd9f4c7a99be77ccfa1776849631cca91d73
SHA512ec971794c3c05ed5a2c2b60c369e9eac15cf449b68243f297a56efede525820dfcf803e9828191b4c347476453a920c2a414f4e8b850693bd8cca8c99b0372a9
-
Filesize
34KB
MD5c27254dc90f81e67edf22118f69ef558
SHA1d7cc71072a2005d7ca3ca37b225fbee81a639955
SHA256697f9fd645ecb0d60608748cefdfd6d5644f42e64c3e026599a29152f6429d72
SHA512fe062c52c814ea3522f0d3d84ed2567991437fc7d5cb6190045a30e5f833895108d6f9ddd4750cbb63bd1af6d083e1dbd6dff8ffcb55c79242c6321655b28fb9
-
Filesize
34KB
MD5ce3eada8cfdc7b326f06d30b0f834f4e
SHA145fbd70660f585923b9b68605cd1b0b8c97aa5bf
SHA25634e8ad8a576b004e6f8b05f9b9a3d38046cb34b56053460e13f1bd1351692c05
SHA512d00cea8f7dd07ae022e4aef135de9dfde04b3894957ee8a9b9ff631c6e6feccc0f0a2db26ea6f3302a80e407da1b9929e9b1753f2e6dd7f4830e6f5fb8c41f95
-
Filesize
184KB
MD53b737d182b307176f0dc8099c5a6a55b
SHA111808217dd7290145ba71ba9e7485e6962a781e8
SHA256792c2e484271b81a078061b8f475b875cb5bf956267c403ad39e77b5a0f0dd79
SHA512e2704e3100447e0d821656989e4b6c88279ea8b5f491f287b5092d11761556ce497de0c5945642dbf516ae1d1e44f12580bee2019b10391dda1b4bc2b72d698d
-
Filesize
10KB
MD5f9616cef4c2d9e958471cd4279c6b1a5
SHA17909936b5341e03150d9e4a07750722ef620773a
SHA25613d955c9765dd9e61b650f7db0fa4e8b2351c0cf35c5a2e92a41760509709b16
SHA512f816fd786a27763290c3e3234de39080b48035846498ac52c5dbfcfed1d1c9ab41a36e346d2de8e13402e3ebde0f0fb01b6d6c6a8a24d74396eeefc00c28f4ce
-
Filesize
129B
MD5c7fe43d6ddcb0f01e1895116e49f4e51
SHA1f7257833d90ba5ddfec5db0e42bc8e5353f1e549
SHA256eee1e20ee66fb54638abf6e526cbd8845afe2106f87211154724514b6a0e563f
SHA5125f49f8a2123497d53739978f39becdd6909ba3e53b1bb6b9d559b5b64651bff30536c2faf3a65e2d6e79c2a85068ab7b54936a5754347fa58ff7c87247400142
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
176KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
176KB