Overview

overview

10

Static

static

1

F-Secure-S...er.exe

windows10-2004-x64

10

F-Secure-S...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    122s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-08-2024 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F-Secure-Safe-Network-Installer.exe

  • Size

    3.0MB

  • MD5

    9c15aac2f31dd9e1e8d64cf8f04ea5d6

  • SHA1

    aaeeb05a24f6e7ef77d46ba71794490afbc414ab

  • SHA256

    e082c6d30278139fdab5a7ddddecbcbafad12ab4dff1d5a960d9704fe635c007

  • SHA512

    0249416a9a1b526b887007704133166353fa97f9def8e57725092ee61f3bc0f5090238699c47733962495cd64550413acf25ff3086d1617e4440e9b6eba1a975

  • SSDEEP

    49152:+zk68h1xr/Rq09zUWUus6qidDQjvBJVSq2UCur80qDt5OXqj:+I6Q/Rq09zUWUus6qidE80qDt5OXqj

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\wlJ8FiR2h.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom DeathGrip Ransomware Attack | t.me/DeathGripRansomware This computer is attacked by russian ransomware community of professional black hat hackers. Your every single documents / details is now under observation of those hackers. If you want to get it back then you have to pay 1000$ for it. This Attack Is Done By Team RansomVerse You Can Find Us On Telegram @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware #DeathGripMalware >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on Telegram t.me/DeathGripRansomware >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using on Telegram messenger without registration and text t.me/DeathGripRansomware Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
URLs

http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion

http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion

http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion

http://lockbitsupp.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Renames multiple (600) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F-Secure-Safe-Network-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F-Secure-Safe-Network-Installer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\installer.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Drops file in System32 directory
        PID:1108
      • C:\ProgramData\C3AF.tmp
        "C:\ProgramData\C3AF.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C3AF.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2432
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2064
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D7FBC7BF-7C85-4B79-9340-F1774BE5DBF2}.xps" 133692254436530000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1660
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\wlJ8FiR2h.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2227988167-2813779459-4240799794-1000\LLLLLLLLLLL
      Filesize

      129B

      MD5

      2acad5e5a0b98e940aab191726458327

      SHA1

      f773699367aa46b5f4f61b3c50b04bf594aadf9d

      SHA256

      c273eda32bde5f8509e6c9f4ee6034c8f1840a8c70d967e3a5bbc46816774bde

      SHA512

      52493982852bc744601a4d40d301ee5693e63ffdad45b794658c3180d5c0c0b501069376c8a245ebeb47cd6e4c711d73d93bf81d5613e34123e26e1a62525959

      Download Submit

    • C:\ProgramData\C3AF.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D7FBC7BF-7C85-4B79-9340-F1774BE5DBF2}.xps
      Filesize

      13.0MB

      MD5

      79fd608a528cdd030566a462b7bdfffa

      SHA1

      0d32af13f58c9676a7620f9b2e6094520b68d35b

      SHA256

      7130d3c91c351511fc1e893b541a90a97b950f038017a82e38e99751f7e3f1ea

      SHA512

      d18f96b630ba78b1b9e61d43827da7b970953e110806629956300ff67544086a052bafc57dd9f404efccd530612d2579a83665714c8b144912bdc1c025f1861b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HHHHHHHHHHHHH
      Filesize

      150KB

      MD5

      6d8c0d500efa8cf4d305b6477be0cbcb

      SHA1

      f8ac67426d0b917b6c3450633601658aaafff643

      SHA256

      1dfcf26121d7ecf3394c099aaf41c63fecf4e667aab54f119ee155bfdecfde79

      SHA512

      9dda3b2dab2a6f7df47ca271980c88fcf5c6eab43dfaf85563d0f6c35cba33f9e0b52c75901b5992eb902fda8de62913df9e5f1f139f71faec9cd52ffa597ac0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\installer.exe
      Filesize

      150KB

      MD5

      7e503c206e57f0295da017914a957d04

      SHA1

      96c375b9c57292db73c7ef2f2df16cf7be1604bb

      SHA256

      274844568a6a9ce334d71efeac21f528d7b54b2cd4377c978cc1270c6ad986c4

      SHA512

      cd4889ae107c54df854042e030eb431664d4db9d6dc908d1f1910ca49b89d247222f9d19440fcc2d9a120c95b56cd694750072ab9486eea961b8c33391344c1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{D5AB0442-00F5-4CFC-B129-15C4E5EFD632}
      Filesize

      4KB

      MD5

      f2a342635373434739ae983d99dc44e0

      SHA1

      f96525a07ceb7ff3e13aef3913bb10d03472fd39

      SHA256

      ec3949311e11d6f8c1f0d6c14b48221aa695947f75c0bed729cb67a602d9dbeb

      SHA512

      b76595afd858fc4b9f103888a8a5b34229f621e0cb77b8cd8b7106bfec87a2d12d4dfcb5d5d8af37d6513fd1a492f1f20f5fec3e825d49a37e1f8c6011201d39

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{FE2315A2-1F9A-4560-9C90-3E56F353BD1D}
      Filesize

      4KB

      MD5

      1b2da5eccf3d5e50021701c757ba5bf1

      SHA1

      b0dbe0003852a28ef4503d375a0f9dc1ed81f115

      SHA256

      5574c553df2784ebcfd9607c5c26db05095b5f48b4cad1399b332ea01ba68f64

      SHA512

      922ebe28610b10cd73dcb28f319a37284b6dc945956d3c010d32a0f9cb720d301bc9465513ff92669f9241ee4f344087c4a3bdfd94d1a90b2ffec4afab75c33c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
      Filesize

      16B

      MD5

      d29962abc88624befc0135579ae485ec

      SHA1

      e40a6458296ec6a2427bcb280572d023a9862b31

      SHA256

      a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

      SHA512

      4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      85dbbbeb466879fa59aa898f39ce1e4a

      SHA1

      88ab88124cb6f6650474af4aef0fe96031234349

      SHA256

      9190ca9b20cde3d3e482ef56bb435c9d9618e520e39ebef33ec74aa7e4c15333

      SHA512

      1f75aecc87f6d7d2e07eb6310a525f9e4b0430b39afba0448301930dd9322984a0cf221f194c13f3867593c220d76d1fc691f2a810bc72918d69c1a66d63bc68

      Download Submit

    • C:\wlJ8FiR2h.README.txt
      Filesize

      3KB

      MD5

      b9674de0868a93e9121bdb1d02d80130

      SHA1

      79d692fd03d3110a4358e2cc7442af9517489f3f

      SHA256

      9268d24e96639cf4c0e8d74f9769092b415015692ea528820faaded6fc5b052c

      SHA512

      b3264ad33eddedb2c18da883e2345247c762adc8a604991fce931cba06b86c361d23fa121e79d6c69948a2d5b9c1613139f401b971360d9d684abb5a61543c02

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2227988167-2813779459-4240799794-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      e388500092daedcdd08120554eab3ccd

      SHA1

      54b8ab6fab79cbef8de44e104b175d490637668d

      SHA256

      808d0048f6866ff3cd6e41c8eac131b5b6d0e71d95c04e28213fca27ed25e68f

      SHA512

      bafb7605ecd1c1f91d00b80c19e75bad825e0a07d7d67180c97a2953b7d45c79322dac6a9f7149444a6dd00b00c10f28b196076d00af1b1c0f2a63e408879873

      Download Submit

    • memory/1660-2903-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-2899-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-2900-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-2936-0x00007FFA7F040000-0x00007FFA7F050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-2937-0x00007FFA7F040000-0x00007FFA7F050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-3059-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-3058-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-2902-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-3060-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-3057-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-2901-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2564-2887-0x00007FF65C990000-0x00007FF65CB12000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2564-2938-0x00007FF65C990000-0x00007FF65CB12000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4928-15-0x00000000032F0000-0x0000000003300000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-17-0x00000000032F0000-0x0000000003300000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-16-0x00000000032F0000-0x0000000003300000-memory.dmp

      Filesize

      64KB

      Download