General

  • Target

    2024-09-24_ef7eb0e31e5ef78258750ce2c9d2428c_darkside

  • Size

    146KB

  • Sample

    240924-e4rtmstblm

  • MD5

    ef7eb0e31e5ef78258750ce2c9d2428c

  • SHA1

    e16d0b8796f9c745a195c0dedad9945b7978c553

  • SHA256

    3cbf36af1e82cb4ee52facdefedc1eb5e5823242721c81f12f14f8657773c9f9

  • SHA512

    8cd326170f92762cdecc69f6b27a8f6220c4cb547750dbd2173afffba36866501372534b37bfbf057faa039cd3877a627041c53c30d9b9d2f2d054b036629713

  • SSDEEP

    3072:I6glyuxE4GsUPnliByocWepXjZ3Csy+hs4Sf33Q:I6gDBGpvEByocWeNhvSfQ

Malware Config

Extracted

Path

C:\sOZaWmhTR.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need to contact us with your personal DECRYPTION ID: D935BE7A0BBC77285D6CF9E3C2F9B653 >>>> To contact us: 1. Download Getsesion https://getsession.org/download 2. Add friend my id: 0576f87ce7ad049d7f1e24cab3780853b589bcfa9601302eb005c041f3a504fe7a >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

https://getsession.org/download

Extracted

Path

C:\sOZaWmhTR.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need to contact us with your personal DECRYPTION ID: D935BE7A0BBC7728115A5CEF459B6445 >>>> To contact us: 1. Download Getsesion https://getsession.org/download 2. Add friend my id: 0576f87ce7ad049d7f1e24cab3780853b589bcfa9601302eb005c041f3a504fe7a >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

https://getsession.org/download

Targets

    • Target

      2024-09-24_ef7eb0e31e5ef78258750ce2c9d2428c_darkside

    • Size

      146KB

    • MD5

      ef7eb0e31e5ef78258750ce2c9d2428c

    • SHA1

      e16d0b8796f9c745a195c0dedad9945b7978c553

    • SHA256

      3cbf36af1e82cb4ee52facdefedc1eb5e5823242721c81f12f14f8657773c9f9

    • SHA512

      8cd326170f92762cdecc69f6b27a8f6220c4cb547750dbd2173afffba36866501372534b37bfbf057faa039cd3877a627041c53c30d9b9d2f2d054b036629713

    • SSDEEP

      3072:I6glyuxE4GsUPnliByocWepXjZ3Csy+hs4Sf33Q:I6gDBGpvEByocWeNhvSfQ

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Renames multiple (4126) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks