lockbit | 52d2af9a8ff6137ac140d31715644d479bf91078969a3884273575e765b51b99

General

Target

LockBIT_7D68A5BFD028A31F.exe
Size

862KB
MD5

4d66e5d97d69602b5f7f456a4c11cf2b
SHA1

70ae4cb2a3af39a97dc75e0d4937c88faf6dc914
SHA256

50ac767d5b007b120db7a476126a88f37edc3f54bae24ed546a80477836252ed
SHA512

e035da06a3c154a6ff0cadddfb559b5d6679e858ae6ffcfc48f8f4f0a8469221222fcf0ca160e24cfdf8f658f48d6484b5baff034a7ab73d5b87fbf964f03fd9
SSDEEP

24576:DxAf2NuubB6RWspgjuwu7pl4Ha+UmxJH+QzFR:dAfSrWW4g+7Ht+UmxJeg3

Score

10^/10

lockbit discovery persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 7D68A5BFD028A31FC5BB74A374D201D3

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LockBIT_7D68A5BFD028A31F.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{F068DCBF-2828-A337-9BF8-9BCB3D5CBF55} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\LockBIT_7D68A5BFD028A31F.exe\""	LockBIT_7D68A5BFD028A31F.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

LockBIT_7D68A5BFD028A31F.exe

description ioc process

File opened (read-only) \??\F: LockBIT_7D68A5BFD028A31F.exe

description	ioc	process
File opened (read-only)	\??\F:	LockBIT_7D68A5BFD028A31F.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

LockBIT_7D68A5BFD028A31F.exe

pid	process
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe
3000	LockBIT_7D68A5BFD028A31F.exe

Drops file in Program Files directory 64 IoCs

Processes:

LockBIT_7D68A5BFD028A31F.exe

description	ioc	process
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\nb-no\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\images\ratings\yelp7.scale-100.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\secondarytiles\transit\contrast-white\widetile.scale-200.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsstore_11910.1002.5.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-black\splashscreen.scale-200.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\assets\gamesxboxhubapplist.targetsize-60_altform-unplated.png	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files\windowsapps\microsoft.xboxgameoverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\assets\getstartedsplash.scale-100_contrast-white.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contactphoto.scale-180.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\contrast-white\storelogo.scale-400_contrast-white.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\splashscreen.scale-200.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxa-generic-dark.scale-125.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\assets\gamesxboxhubsmalltile.scale-100.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\moviesanywherelogowithtextlight.scale-100.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files\java\jre-1.8\bin\server\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.549981c3f5f10_1.1911.21713.0_x64__8wekyb3d8bbwe\appxmetadata\codeintegrity.cat	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\210x173\8.jpg	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\10.jpg	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\assets\getstartedapplist.targetsize-48_altform-unplated_contrast-black.png	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\da-dk\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_filter-focus_32.svg	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\projectstd2019r_oem_perp-pl.xrm-ms	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\clientlangpack_eula.txt	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files\videolan\vlc\locale\ga\lc_messages\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\onenotesectiongroupwidetile.scale-125.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\splashscreen.scale-150.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-30_altform-unplated.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\moe_status_icons.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windows.photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\appxsignature.p7x	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\insiderhubsmalltile.scale-100_contrast-white.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\[email protected]	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.desktopappinstaller_1.0.30251.0_x64__8wekyb3d8bbwe\assets\fileicons\filelogoextensions.targetsize-64.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windows.photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\assets\photosapplist.targetsize-36_altform-fullcolor.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\linkedinboxlargetile.scale-200.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\windowspowershell\modules\pester\3.4.0\snippets\shouldnotbe.snippets.ps1xml	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\office16\msipc\id\msipc.dll.mui	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\apptiles\contrast-black\weather_splashscreen.scale-100.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\40.jpg	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\eu-es\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\ui-strings.js	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\onenoter_trial-pl.xrm-ms	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxcalendarbadge.scale-125.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxa-advanced-light.scale-250.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\prndmediasource.winmd	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-96_contrast-white.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\o365homepremr_subtest5-pl.xrm-ms	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\outlookmailsmalltile.scale-125.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxmailsmalltile.scale-400.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\images\themeless\desktop_acrobat_logo.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\officeinventoryagentfallback.xml	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\o365proplusr_subscription1-pl.xrm-ms	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files\microsoft office\root\vfs\system\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js	LockBIT_7D68A5BFD028A31F.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\js\nls\hr-hr\Restore-My-Files.txt	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\localizedstrings_nl.json	LockBIT_7D68A5BFD028A31F.exe
File opened for modification	C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\contrast-white\badgelogo.scale-200_contrast-white.png	LockBIT_7D68A5BFD028A31F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

LockBIT_7D68A5BFD028A31F.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LockBIT_7D68A5BFD028A31F.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

LockBIT_7D68A5BFD028A31F.exe

pid process

3000 LockBIT_7D68A5BFD028A31F.exe
3000 LockBIT_7D68A5BFD028A31F.exe
3000 LockBIT_7D68A5BFD028A31F.exe
3000 LockBIT_7D68A5BFD028A31F.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LockBIT_7D68A5BFD028A31F.exe

description pid process

Token: SeTakeOwnershipPrivilege 3000 LockBIT_7D68A5BFD028A31F.exe
Token: SeDebugPrivilege 3000 LockBIT_7D68A5BFD028A31F.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LockBIT_7D68A5BFD028A31F.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3000	LockBIT_7D68A5BFD028A31F.exe
Token: SeDebugPrivilege	3000	LockBIT_7D68A5BFD028A31F.exe

C:\Users\Admin\AppData\Local\Temp\LockBIT_7D68A5BFD028A31F.exe
"C:\Users\Admin\AppData\Local\Temp\LockBIT_7D68A5BFD028A31F.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\Restore-My-Files.txt

Filesize
512B

MD5
6ee580b068415e25ff66ef8771db7a00

SHA1
fffcdd8342952f05be4a033025f93cc75af43b0b

SHA256
8e53872a723b699777ba234b496cfdc06ee92f310cc52be71fcba46d8e52b75a

SHA512
9d38333b65b1e1b1bb65b938800ddbb3ad26f68b05ff4037cde24c7b891c7a12055b41b9e4f95e26d343ce7096f7d769d8977aaa1db8f9f1206f76c1bbc2386f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads