Overview

overview

10

Static

static

3

2024-08-30...ry.exe

windows7-x64

10

2024-08-30...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-30_eb78a7bd3200e1635ba307856f32745f_lockbit_wannacry.exe

  • Size

    146KB

  • MD5

    eb78a7bd3200e1635ba307856f32745f

  • SHA1

    1e22294cd479bb23fe43c1573cd9d263f1f6d2fa

  • SHA256

    113fc9865d0231fff4a2863a249bb3d74166717391ea2a862d1f9d7cfca56e60

  • SHA512

    262c3fabd6967a4b17b0ad52c9edefdd34752836dc8903d9d2758ef3d68e4321d5d4c2cb3ef41c31de40cbe97ba10d74b438ba0860a77fcefb09d4b1b3a0a3f5

  • SSDEEP

    3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVc:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMc

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?812081C6D1A3350FCA2EAC52BBC113FB | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?812081C6D1A3350FCA2EAC52BBC113FB This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?812081C6D1A3350FCA2EAC52BBC113FB

http://lockbitks2tvnmwk.onion/?812081C6D1A3350FCA2EAC52BBC113FB

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?812081C6D1A3350FCA2EAC52BBC113FB Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?812081C6D1A3350FCA2EAC52BBC113FB This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?812081C6D1A3350FCA2EAC52BBC113FB

http://lockbitks2tvnmwk.onion/?812081C6D1A3350FCA2EAC52BBC113FB

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (9361) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-30_eb78a7bd3200e1635ba307856f32745f_lockbit_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-30_eb78a7bd3200e1635ba307856f32745f_lockbit_wannacry.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2700
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1880
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1540
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:1652
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-08-30_eb78a7bd3200e1635ba307856f32745f_lockbit_wannacry.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2024-08-30_eb78a7bd3200e1635ba307856f32745f_lockbit_wannacry.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2656
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-08-30_eb78a7bd3200e1635ba307856f32745f_lockbit_wannacry.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:924
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2684
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2312
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2984
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1632

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
        Filesize

        1KB

        MD5

        bb683f55b41a9655d6bdd683d0ba30cc

        SHA1

        98e0044f4c71a0d0dc98c563c306adcd156eb27a

        SHA256

        83644b1137a4ec7a56125911f6f4a3a5b6b0b1e9e09781e42a2b04f1131bb60c

        SHA512

        90d5937d991831352f83d4980f88d760d8e8b19b7e4b30caee0606f13cc07aa1ad2c761b84740b6a93f30b3fa2cf606d0adf868f0f67ecbcb80315c67c1d84ca

        Download Submit

      • C:\Users\Admin\Desktop\LockBit-note.hta
        Filesize

        17KB

        MD5

        b0f514e4a51dc8f853ba4378d4d19c88

        SHA1

        547ab395ea03cfb4edf0e756665d2653c97536b6

        SHA256

        33b2fdd66d0fbcc57b3b6e07e1611ef8be7538587ae235688ce943267e154cd7

        SHA512

        d91072156992e8874d38ded6bb74b955a4a1629747c4ddde7e601a0a076bd355098eec9f62b683ec86a8ffb1732a04c1078b148fd441c8bf96b1f5f73ae405b4

        Download Submit