Overview

overview

10

Static

static

10

6b20857125...d6.exe

windows7-x64

10

6b20857125...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b20857125a5cc6c725c639928695fd8def531621b02cfcbc9b299f94b98f1d6.exe

  • Size

    156KB

  • MD5

    197bb399bad7cbc8eb879a933921ac5a

  • SHA1

    341caa5d5cdd17714bac347be0e73bfbae5c5e9e

  • SHA256

    6b20857125a5cc6c725c639928695fd8def531621b02cfcbc9b299f94b98f1d6

  • SHA512

    a430f6e599c879484a094390b07bfaf883b69fb012969244f22028edf55c9c684bae908f4e255a689d9d975ec126e3051539494ec6dd69d38ffe1827dee05eab

  • SSDEEP

    3072:NDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368xDX8MYo35szDeW:v5d/zugZqll3dDX8MLJgD

Score
10/10
defense_evasiondiscoveryransomware

Malware Config

Extracted

Path

C:\Users\AEaS2Fd3k.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: ABBE5B8FE945579FFBA3055D545232FF << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (166) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b20857125a5cc6c725c639928695fd8def531621b02cfcbc9b299f94b98f1d6.exe
    "C:\Users\Admin\AppData\Local\Temp\6b20857125a5cc6c725c639928695fd8def531621b02cfcbc9b299f94b98f1d6.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\ProgramData\C4B7.tmp
      "C:\ProgramData\C4B7.tmp"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C4B7.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3940
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    78d8af66c2400bdefaac09a536f3a1aa

    SHA1

    fe1752e6a26f6e5f7e1d9d75860ea453290faf5f

    SHA256

    a43b3e9ce02f1f57cf110750c37fb18b1b600b312cb3e697deb8d65988083a58

    SHA512

    a28458198e484c67a3898b5fc93cebb4792056110d8f753f620f16da7ac4fce1a1eede5d8cf1bbe415b00af66495a6f11718cb7eb0b64bd0345300e6b0f90c5f

    Download Submit

  • C:\ProgramData\C4B7.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\AEaS2Fd3k.README.txt
    Filesize

    3KB

    MD5

    b336f262a82d999034b6ebed21b98332

    SHA1

    d16f62cb896cdc848404e6e33edd1411dbed181b

    SHA256

    984be3cf0c2867539ed7af7be2eabf16781c528fd8b32e9e124c62f5b87bfd79

    SHA512

    78e1ae221d2ff0134f08140731afea4aa49ade9bb9df6d4192ddcdd4d92577ec5ef50e8c4498b4d2f78fed86fd75372c598fce4fc3fb9e4a3b6ec1ee4fbffe9b

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\AAAAAAAAAAA
    Filesize

    129B

    MD5

    e88488f0f6934885931392d63bb2de50

    SHA1

    dcb3822a3f8ff117e767d1e85ac815a10c53d63c

    SHA256

    2c10e540f31eb3c6ad5cbfee2c62f162d8fcc1c3efbbe562b0ec0274545594ad

    SHA512

    a5242a43f20ea9e1f0a2fc982b7c4615632042548ac58f6d0c05ccda151c58b2dad6e07d8af2136e91bb8937eae64c2d69052216e1303c422fcca75e29f90475

    Download Submit

  • memory/1156-319-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4772-1-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-2-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-0-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download