Analysis

  • max time kernel
    100s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 08:49

General

  • Target

    ctrsys.exe

  • Size

    183KB

  • MD5

    3870e4591ce517d956771e23c361582d

  • SHA1

    28d09d35d3e5a8490ef4a4ebaa36262fa411afba

  • SHA256

    2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d

  • SHA512

    61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1

  • SSDEEP

    3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Renames multiple (615) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ctrsys.exe
    "C:\Users\Admin\AppData\Local\Temp\ctrsys.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\LB3.exe
      "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Drops file in System32 directory
        PID:5268
      • C:\ProgramData\FC62.tmp
        "C:\ProgramData\FC62.tmp"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5720
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FC62.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5952
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5212
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5556
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{19A05935-9563-4B23-AD07-587802B9807F}.xps" 133686173862560000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:5676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\LLLLLLLLLLL

      Filesize

      129B

      MD5

      939bf0f3d77c8f77dcf28ea225dc58d8

      SHA1

      53558dbf17160720bd4746152235aa5ca021c266

      SHA256

      5c306a8c5ee2ceb494a2e5ef01eb781cc5e9e2fc9d7de7f35e484953c499ddfd

      SHA512

      dbf13ed6c67ead377a7669d9b632cb5c0431a1e1515c30a9768875d884910b9b372b06994712a6f0f86326c668623b2a407c05518e375a69b7f4eb7e1a7c6f69

    • C:\MNYHU2Jh1.README.txt

      Filesize

      1KB

      MD5

      70f8acf921f004784b21982bdfb5fb9b

      SHA1

      a5fe82b54b1da9425c680e04ac9a0ea88ff4a225

      SHA256

      497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4

      SHA512

      04c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084

    • C:\ProgramData\FC62.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\LB3.exe

      Filesize

      147KB

      MD5

      5820e728cfad98d8673d29448c58c7d5

      SHA1

      cfe71685fd09fd14d2d2faa8618b2559438a8b1e

      SHA256

      5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

      SHA512

      28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

    • C:\Users\Admin\AppData\Local\Temp\LB3.exe

      Filesize

      147KB

      MD5

      095a563b46f19b64a8ef6bf4149ce1a6

      SHA1

      ca7171510ff66a3b554ef83a3255554c6cc3490a

      SHA256

      a3a6bddb409217e6c8e937aae863b6e8b4d9761ecd9a21ff87f6d9924d741723

      SHA512

      aaba50dc4b407b2a4375b71e6d3b12f0471ee313a205a85e0f1e429af71c15cdcc6caabcc792f32efb3231e7e9f4033c275b85247ee3fa54d67622a9dc5dbd6a

    • C:\Users\Admin\AppData\Local\Temp\{B480A035-EE7C-4633-8847-945C6D8B7EF3}

      Filesize

      4KB

      MD5

      09c46a58b453a350184e471cba3f1fcb

      SHA1

      164fbbed4164934f4ba35042d8c89ae896f393b8

      SHA256

      39334db5e3beea21dce4c259d798c2d19a9164c0d89db8cb9459494019ea239c

      SHA512

      72af18cb28da30298d9b933ddd7ac37e824e40d8bd014f4d9fc250d9571e024ddde97b2de0dc629bcecd20453839cb2c5607b7b97ef960b7407f75797ab27ce8

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      902bb0f7a2dae26b8dc30d7efef61898

      SHA1

      13ec079b31d88e95e97bef1104d7ef79cff9f2ef

      SHA256

      0b7a69b64676e4288c9fefb8122996f0faa646092248efa063eb3d8e94802e66

      SHA512

      9b43bf5ea3ab750201c66ac26c51e38d80974706b3c83f853c79a3d2cbc0421b427ac6af86dfc40e32a05cba9c8eb5370e362d526b3ef090fd52b510531ca896

    • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      9b32c1a7c7a5986b79eb23ef17ca9c27

      SHA1

      20a72f7ea88f6f554631c0d61496a597f63c4039

      SHA256

      a7783a7658d7b8e98d503e12953ee22d3df7860e26cad7f2e6644bf9e43d1606

      SHA512

      04f3dc57d01d667afa9cb999a7d597cb57a0fa4c96744a67f406c1d329b649c2ff94e162beb75dc91d5e079053e6bb9f5ed0cc38aba05b5724585cf41bcd9d6c

    • memory/4708-2975-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/4708-2976-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/4708-2974-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/4708-24-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/4708-22-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/4708-23-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/5004-8-0x000000007516E000-0x000000007516F000-memory.dmp

      Filesize

      4KB

    • memory/5004-3-0x0000000005770000-0x0000000005802000-memory.dmp

      Filesize

      584KB

    • memory/5004-12-0x0000000007500000-0x000000000750A000-memory.dmp

      Filesize

      40KB

    • memory/5004-9-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

    • memory/5004-0-0x000000007516E000-0x000000007516F000-memory.dmp

      Filesize

      4KB

    • memory/5004-853-0x0000000007350000-0x000000000735A000-memory.dmp

      Filesize

      40KB

    • memory/5004-886-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

    • memory/5004-7-0x0000000006400000-0x0000000006466000-memory.dmp

      Filesize

      408KB

    • memory/5004-6-0x00000000059D0000-0x00000000059E8000-memory.dmp

      Filesize

      96KB

    • memory/5004-5-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

    • memory/5004-1-0x0000000000E70000-0x0000000000EA4000-memory.dmp

      Filesize

      208KB

    • memory/5004-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

      Filesize

      5.6MB

    • memory/5004-13-0x0000000007760000-0x00000000077B0000-memory.dmp

      Filesize

      320KB

    • memory/5004-4-0x0000000005830000-0x00000000058CC000-memory.dmp

      Filesize

      624KB

    • memory/5676-2994-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

      Filesize

      64KB

    • memory/5676-2996-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

      Filesize

      64KB

    • memory/5676-2990-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

      Filesize

      64KB

    • memory/5676-3025-0x00007FF898EF0000-0x00007FF898F00000-memory.dmp

      Filesize

      64KB

    • memory/5676-3026-0x00007FF898EF0000-0x00007FF898F00000-memory.dmp

      Filesize

      64KB

    • memory/5676-2991-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

      Filesize

      64KB

    • memory/5676-2989-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

      Filesize

      64KB