Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-09-2024 14:07
General
-
Target
166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980.exe
-
Size
5.1MB
-
MD5
be8bf725892ddd7a200d0a1906b9387f
-
SHA1
582a24a72b29e70f2de26a8d217492c7a6b983ff
-
SHA256
166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980
-
SHA512
32d9d97692255e84cbd8c24794627bdfaa8ae41942bd449b678906f01d8b667d9d9785440f562132878987c682169b8ba9f9242a9f2abdf4b197d425ff1e7cb8
-
SSDEEP
98304:MjHm6/Pi0bzB+Ot7nM3wnuZFm0qRttZYtToFbSO7VKoFbSO7VyoFbSO7VKoFbSO5:O5unMkMsMkM
Malware Config
Extracted
C:\wlJ8FiR2h.README.txt
lockbit
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
-
Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980.exe"C:\Users\Admin\AppData\Local\Temp\166bba02413995aff28ffeb27d3bf3d5a5f6a6cd36893e252c7b9a22836f4980.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ggc.exe"C:\Users\Admin\AppData\Local\Temp\ggc.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
-
-
C:\ProgramData\FB78.tmp"C:\ProgramData\FB78.tmp"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FB78.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A1DB22E4-5CC7-4662-B99B-326B47FCE42B}.xps" 1336993244035100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5d6cd92cde8ba52f8b9736a0fe6c419ea
SHA120bd6860cd42dcda08681c00f86bf18165c60287
SHA256904a05fbbeb87bec6ba8490a410baf3af97ca292a5841aed5735315e32d49b78
SHA5126b84bc9badcade1396f95d047bf8a62fcc4da04581e2492e3b2d83bd4210d0bd0cd434c932060ffa7bfd17adfc94b646e8af61e9359dd6f54090cb9f2f0609cb
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
150KB
MD52861bcaefe58213b32b656c38430c4d8
SHA16f2b93cbad574858b51c4185a371f74cd0b06a54
SHA2567386a459521d897e513ca5f87215120a656ac5545960830671c20add0286d22d
SHA512e69548034820267766fa0a01fd494ea1c136b0fca639c0abcc6ab2ac0b4e3929d7863b07b71a9b0287e567bf8041d699e063e3f841872264a6bc507787b55b2d
-
Filesize
150KB
MD57e503c206e57f0295da017914a957d04
SHA196c375b9c57292db73c7ef2f2df16cf7be1604bb
SHA256274844568a6a9ce334d71efeac21f528d7b54b2cd4377c978cc1270c6ad986c4
SHA512cd4889ae107c54df854042e030eb431664d4db9d6dc908d1f1910ca49b89d247222f9d19440fcc2d9a120c95b56cd694750072ab9486eea961b8c33391344c1c
-
Filesize
4KB
MD51355db9b4a68bfcd2354320c5bb4cdce
SHA127630f3b4dc1f9b14e06dbe95f0ebc8749900546
SHA256f08dee41d7be7dd65c4d550847d771cacce70aab4654720211d9d1ef7c3f09b6
SHA5129e50d2a4709935331e2f8108b6b400802a23eb6a7706ef338589030ef283095673bf7938f6a03dee393374f1549d7177066d98635c232956a2cd8be35905bae8
-
Filesize
4KB
MD573b23c51f86411d8d526b296db0f8f6d
SHA1c2dd8404948c97c984bccdddbf8acad50c601758
SHA256331444a018594a75ce5a3c631109c43543e1cd79a4a369f26ec7a31cae2f133e
SHA512a3d0dcc7d088d15d7f0701c81f1921d67badf4438b838dae90b06928c32f0fc78373d2a639f162e76ca8bafef98cbe0e390bca74f6e315dd632b4cdde0f3e608
-
Filesize
3KB
MD5b9674de0868a93e9121bdb1d02d80130
SHA179d692fd03d3110a4358e2cc7442af9517489f3f
SHA2569268d24e96639cf4c0e8d74f9769092b415015692ea528820faaded6fc5b052c
SHA512b3264ad33eddedb2c18da883e2345247c762adc8a604991fce931cba06b86c361d23fa121e79d6c69948a2d5b9c1613139f401b971360d9d684abb5a61543c02
-
Filesize
129B
MD5adf4edcf068012f5d9d1e50ddbe41462
SHA1d08ac943af55aa6479c86f6186f656e2234a9b10
SHA25603c42cbb1f6fb6a6fafe5b3b5fd17b126531efafdfc415cf61c6c4f758cca939
SHA51291a5b4681b06ed8ca3df8e731201c5f513b38234b55506bd3df7bae3fbe44175db9803fe5a3aaad0de6ba7966c1e52d540cdccc6305048b7b3d08dc9496b1c14
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB