General
-
Target
83b205bb50e0d0ce2953aa41a83b492840dfbe280fac4265a21f5a9fbf83cf26
-
Size
2.6MB
-
Sample
240904-rezjeashlb
-
MD5
3d59930d6aa17f2d995ecc794effca4f
-
SHA1
a8df7be725ddb7f8db1079b0a79a9131f8084595
-
SHA256
83b205bb50e0d0ce2953aa41a83b492840dfbe280fac4265a21f5a9fbf83cf26
-
SHA512
4549d8b22d4fa52084517f4e53af223b448ea165a1e4122a3828194febaec626b451cb4f634d85e18c5e53e69ffd81cf8479f3230bd3e7b264a40e033359619f
-
SSDEEP
49152:qjGygZeLGpZY/EkW/KVqMM3IY2NjvPjCc0b4fkQGYlunj4X1dBlrrs0/:0ozZtkW/KVPnL3qluEj4lHl1
Static task
static1
Behavioral task
behavioral1
Sample
166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
C:\wlJ8FiR2h.README.txt
lockbit
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
Targets
-
-
Target
166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980.exe
-
Size
5.1MB
-
MD5
be8bf725892ddd7a200d0a1906b9387f
-
SHA1
582a24a72b29e70f2de26a8d217492c7a6b983ff
-
SHA256
166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980
-
SHA512
32d9d97692255e84cbd8c24794627bdfaa8ae41942bd449b678906f01d8b667d9d9785440f562132878987c682169b8ba9f9242a9f2abdf4b197d425ff1e7cb8
-
SSDEEP
98304:MjHm6/Pi0bzB+Ot7nM3wnuZFm0qRttZYtToFbSO7VKoFbSO7VyoFbSO7VKoFbSO5:O5unMkMsMkM
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-