General
-
Target
Dropper.bat
-
Size
470B
-
Sample
240904-pgn5ca1drd
-
MD5
8073ff57f855d5cd51346f011933d9fb
-
SHA1
d24fc282fb660945b87e1c41860a031f6e7ec9f6
-
SHA256
6bce98ce8751d6f87e97578a05e606a0b699f24c1a69b96cd28ef88d4984fe71
-
SHA512
9f2e04c4f8bdeab0e2075b5bc42edbe6a9ee4221fbf1ebbacd44238576e77f7b2d5f5d3ac90d433b8b6f5493fef51747405e14a5aa2cf59a4663b2cf385b4610
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Dropper.bat
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://master-repogen.vercel.app/file/server.scr
Extracted
C:\wlJ8FiR2h.README.txt
lockbit
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
Targets
-
-
Target
Dropper.bat
-
Size
470B
-
MD5
8073ff57f855d5cd51346f011933d9fb
-
SHA1
d24fc282fb660945b87e1c41860a031f6e7ec9f6
-
SHA256
6bce98ce8751d6f87e97578a05e606a0b699f24c1a69b96cd28ef88d4984fe71
-
SHA512
9f2e04c4f8bdeab0e2075b5bc42edbe6a9ee4221fbf1ebbacd44238576e77f7b2d5f5d3ac90d433b8b6f5493fef51747405e14a5aa2cf59a4663b2cf385b4610
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-