Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
30-08-2024 01:57
General
-
Target
ggc.exe
-
Size
150KB
-
MD5
7e503c206e57f0295da017914a957d04
-
SHA1
96c375b9c57292db73c7ef2f2df16cf7be1604bb
-
SHA256
274844568a6a9ce334d71efeac21f528d7b54b2cd4377c978cc1270c6ad986c4
-
SHA512
cd4889ae107c54df854042e030eb431664d4db9d6dc908d1f1910ca49b89d247222f9d19440fcc2d9a120c95b56cd694750072ab9486eea961b8c33391344c1c
-
SSDEEP
3072:6qJogYkcSNm9V7DPaGkxDSzGmblnDPET:6q2kc4m9tDyNDSrdj
Malware Config
Extracted
C:\wlJ8FiR2h.README.txt
lockbit
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (368) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ggc.exe"C:\Users\Admin\AppData\Local\Temp\ggc.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\3ADE.tmp"C:\ProgramData\3ADE.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3ADE.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\wlJ8FiR2h.README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b0700b97b9a57dc51969e7696e797099
SHA1f3b7efcb7b79b7fbafe42be0bbf2859c931006b0
SHA256e843ba5591a7d46fed03cd2db5df125d8906d9c89c31282483422f4cf909dc35
SHA51254218ea84d09a364b66fa56459f0c2f34ac3b433d4a86f58c1dcb43dd849fad9e6bd524b58103d7aa78246462e2a134b974d65cd2245e6391660268987efa8db
-
Filesize
150KB
MD573b1af23498fe61c5a943d145c221eec
SHA185309e0afa59830813fdffe5e7e57a1a1e1cd029
SHA256169f85784f87bd2555a26bf9595d1b0b91c7227b35b39117df59fb3feab6f5e8
SHA5129e1ba99a2fe897ec584bf254b1519b4c60cd34dfbc2dca6c70aa51d21be8b7cf58b93e74d2bd2a3f5d46d7a2fb306d5d992b106baa1599c03d7415ad8fe3912c
-
Filesize
3KB
MD5b9674de0868a93e9121bdb1d02d80130
SHA179d692fd03d3110a4358e2cc7442af9517489f3f
SHA2569268d24e96639cf4c0e8d74f9769092b415015692ea528820faaded6fc5b052c
SHA512b3264ad33eddedb2c18da883e2345247c762adc8a604991fce931cba06b86c361d23fa121e79d6c69948a2d5b9c1613139f401b971360d9d684abb5a61543c02
-
Filesize
129B
MD5883bb4c7088e8ce90e7e0916a9f41d70
SHA1d386c94984277d1b1694c5a079aaa65721da2a94
SHA25687f88e719b7827696a0b69446ef5d2b4fc8520be3ee0ac11f2721d69d5a44283
SHA512e9789a7a974904a714e5a927f7ffa8bd1957926f5701a6f5cd5f00fb8e133fa839f0af0e69c0198902aaa98b675bdebc2958ceadbb531d50f2fc80e255a4d516
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB