Overview

overview

10

Static

static

3

2c85d7c4dd...4d.exe

windows7-x64

10

2c85d7c4dd...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d.exe

  • Size

    183KB

  • MD5

    3870e4591ce517d956771e23c361582d

  • SHA1

    28d09d35d3e5a8490ef4a4ebaa36262fa411afba

  • SHA256

    2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d

  • SHA512

    61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1

  • SSDEEP

    3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh

Score
10/10
lockbitcollectioncredential_accessdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Renames multiple (323) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d.exe
    "C:\Users\Admin\AppData\Local\Temp\2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2388
    • C:\Users\Admin\AppData\Local\Temp\LB3.exe
      "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\ProgramData\F595.tmp
        "C:\ProgramData\F595.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F595.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:672
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:336

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    5
    T1552

    Credentials In Files

    4
    T1552.001

    Credentials in Registry

    1
    T1552.002

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    4
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini
      Filesize

      129B

      MD5

      c315544f5a69916c724f3dab064c0446

      SHA1

      6cde79883806203fedea8df1e5b642d00810af63

      SHA256

      8b8cd2ff58d2c68ed9e0a1f7d02f46871d295a8229916acb6b1bfa1ff4600148

      SHA512

      d6f054ceb8eb1ca88377b80054f33154e6c1214985cdc45f31292fb977be47b640f0c22e9221432e91e25148a61f59d0def2fb5029fa9d4c5a7863dae8f230dc

      Download Submit

    • C:\MNYHU2Jh1.README.txt
      Filesize

      1KB

      MD5

      70f8acf921f004784b21982bdfb5fb9b

      SHA1

      a5fe82b54b1da9425c680e04ac9a0ea88ff4a225

      SHA256

      497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4

      SHA512

      04c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      147KB

      MD5

      2c6ae8ac412a41c4fb20e6ef1367e438

      SHA1

      a0fe5e206d35998c96cced0017fbfb780fa16c54

      SHA256

      9eebcfb1754d912583c87ec40fcd3d07e5044a7906af627c4243204062412073

      SHA512

      367abe9d2b8cce63fc665d8326f159e8ec16455d590d6c0e2b5618ad30a8159dd6f5a96b9f9391a257dc725b7a9264869d242ce691aa3ccdb4f3867f23b8457b

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\FFFFFFFFFFF
      Filesize

      129B

      MD5

      2629bee861410167f04cf382a4d06fdb

      SHA1

      31ad2c602891f239db3cf1d07f4c91cd58f6f5fd

      SHA256

      2a4259ca42415a996c9133dd95f47add84737f2b4d380cc70a28170421f7d613

      SHA512

      3f8d3f1d08b156c003cfdce9c3b1c67a966aae5a03753ddcf24de299b38274e1bb79345a5e547c58e908008175922a227906891e5f09da0f094df0f90a5545b9

      Download Submit

    • \ProgramData\F595.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\LB3.exe
      Filesize

      147KB

      MD5

      5820e728cfad98d8673d29448c58c7d5

      SHA1

      cfe71685fd09fd14d2d2faa8618b2559438a8b1e

      SHA256

      5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

      SHA512

      28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

      Download Submit

    • memory/2388-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-7-0x0000000000440000-0x000000000044A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2388-4-0x00000000745E0000-0x0000000074CCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2388-3-0x00000000745EE000-0x00000000745EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-651-0x00000000745E0000-0x0000000074CCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2388-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2388-1-0x0000000000ED0000-0x0000000000F04000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2624-17-0x0000000002540000-0x0000000002580000-memory.dmp

      Filesize

      256KB

      Download