Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 08:49

General

  • Target

    ctrsys.exe

  • Size

    183KB

  • MD5

    3870e4591ce517d956771e23c361582d

  • SHA1

    28d09d35d3e5a8490ef4a4ebaa36262fa411afba

  • SHA256

    2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d

  • SHA512

    61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1

  • SSDEEP

    3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Renames multiple (364) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ctrsys.exe
    "C:\Users\Admin\AppData\Local\Temp\ctrsys.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\LB3.exe
      "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\ProgramData\3B6B.tmp
        "C:\ProgramData\3B6B.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B6B.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1916
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\CCCCCCCCCCC

      Filesize

      129B

      MD5

      82adba94104c4d8e1ac5fdbb5dcc99a1

      SHA1

      24ec074040973324eb107707b27c15fde3e7dc11

      SHA256

      9d6992e2e10662bd7b906cb36ae8083989de475bb8a760104d3cd6e2f35c1ca0

      SHA512

      227b23c406690f0032e5634568b079a82d4969b88a3c38b8970e91dfc86ca5701fa3b0f24be22042fc76b254fe9d1112528235c10bc299b8c4822fbbca65a7da

    • C:\MNYHU2Jh1.README.txt

      Filesize

      1KB

      MD5

      70f8acf921f004784b21982bdfb5fb9b

      SHA1

      a5fe82b54b1da9425c680e04ac9a0ea88ff4a225

      SHA256

      497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4

      SHA512

      04c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD

      Filesize

      147KB

      MD5

      3a5b5579e7201ffaf0fa21ace50d47f9

      SHA1

      da3588f43550b42238c28aa0c67716636e61940e

      SHA256

      5218e7bb6ddf704b6578c9b37dd5312d70c667f0c2ca80c99a9f9f1ad045c10f

      SHA512

      424ff6d85679b4baaeaa36bd7da2d068c69315a20f844824ab845cd52203bb845440e28b9136936f49b88d595ae9fe33899c5ab721e077986526ccc6be38069f

    • F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      6ccb04dab0e9f3c35b56432fbaaf220b

      SHA1

      8106f3498e8cae0cd1fb5db36032bfb8fc514448

      SHA256

      b9ed1eeb5512a12bf9932a6bfb6f6d260d780ac896c98168a1abcf555fd488e2

      SHA512

      538beebab9266d7218b62cbc584105353fd09f35918f5932af84409bacb45d35058f232edff073283c05e006915938d4a4af02b42ac43f2538a395db3fca1d60

    • \ProgramData\3B6B.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • \Users\Admin\AppData\Local\Temp\LB3.exe

      Filesize

      147KB

      MD5

      5820e728cfad98d8673d29448c58c7d5

      SHA1

      cfe71685fd09fd14d2d2faa8618b2559438a8b1e

      SHA256

      5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

      SHA512

      28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

    • memory/2792-17-0x0000000000820000-0x0000000000860000-memory.dmp

      Filesize

      256KB

    • memory/2872-0-0x000000007497E000-0x000000007497F000-memory.dmp

      Filesize

      4KB

    • memory/2872-7-0x00000000003B0000-0x00000000003BA000-memory.dmp

      Filesize

      40KB

    • memory/2872-4-0x0000000074970000-0x000000007505E000-memory.dmp

      Filesize

      6.9MB

    • memory/2872-3-0x000000007497E000-0x000000007497F000-memory.dmp

      Filesize

      4KB

    • memory/2872-692-0x0000000074970000-0x000000007505E000-memory.dmp

      Filesize

      6.9MB

    • memory/2872-2-0x0000000074970000-0x000000007505E000-memory.dmp

      Filesize

      6.9MB

    • memory/2872-1-0x0000000000370000-0x00000000003A4000-memory.dmp

      Filesize

      208KB

    • memory/2960-918-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB