Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 06:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe
-
Size
862KB
-
MD5
4d66e5d97d69602b5f7f456a4c11cf2b
-
SHA1
70ae4cb2a3af39a97dc75e0d4937c88faf6dc914
-
SHA256
50ac767d5b007b120db7a476126a88f37edc3f54bae24ed546a80477836252ed
-
SHA512
e035da06a3c154a6ff0cadddfb559b5d6679e858ae6ffcfc48f8f4f0a8469221222fcf0ca160e24cfdf8f658f48d6484b5baff034a7ab73d5b87fbf964f03fd9
-
SSDEEP
24576:DxAf2NuubB6RWspgjuwu7pl4Ha+UmxJH+QzFR:dAfSrWW4g+7Ht+UmxJeg3
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
Ransom Note
LockBit 2.0 Ransomware
Your data are stolen and encrypted
The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
You can contact us and decrypt one file for free on these TOR sites
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
OR
https://decoding.at
Decryption ID: 7D68A5BFD028A31F87C3A08716B46DAB
URLs
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F068DCBF-2828-A337-9BF8-9BCB3D5CBF55} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe\"" 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription ioc Process File opened (read-only) \??\F: 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Drops file in System32 directory 1 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exepid Process 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription ioc Process File created C:\program files\windows sidebar\gadgets\clock.gadget\it-it\Restore-My-Files.txt 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0241041.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd14755_.gif 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\outlook.hol 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\formsbrowserupgrade.html 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\formspreviewtemplate.html 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\news98.poc 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File created C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\Restore-My-Files.txt 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerconstraints.exsd 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bl00932_.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0237228.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\america\north_dakota\center 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File created C:\program files\microsoft games\multiplayer\checkers\en-us\Restore-My-Files.txt 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir34b.gif 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\latin1.shp 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\en-us\gadget.xml 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\en-us\weather.html 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-host-views.xml 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir45b.gif 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\proof\mshy7es.lex 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\es-es\css\weather.css 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\travelintrotomainmask_pal.wmv 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\america\argentina\san_luis 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File created C:\program files\microsoft games\freecell\it-it\Restore-My-Files.txt 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File created C:\program files\windows sidebar\gadgets\clock.gadget\es-es\css\Restore-My-Files.txt 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd00775_.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\executive.thmx 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\babygirl\flower_trans_rgb_pal.wmv 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0090779.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so01063_.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\fieldtypepreview\digitalink.jpg 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\antarctica\davis 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File created C:\program files\videolan\vlc\locale\fur\lc_messages\Restore-My-Files.txt 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\modern_settings.png 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\postage_selectionsubpicture.png 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\explr_01.mid 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\pictph.poc 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\icon.png 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\rectangle_scrapbook_thumbnail.bmp 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\en-us\rssfeeds.html 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\brt.fca 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0217872.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0241077.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\springgreen\tab_off.gif 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\postcd98.poc 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\storyvertbb.poc 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\calendar.gadget\images\bg-today.png 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\cpu.gadget\en-us\css\cpu.css 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\tn00018_.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0205466.wmf 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\computers\computericonmask.bmp 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl083.xml 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\settings_right_pressed.png 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\datatype\start end dates.accft 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\csharp\1033\mdiparent.zip 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21305_.gif 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\visualbasic\1033\explorer.zip 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 568 3068 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exepid Process 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription pid Process Token: SeTakeOwnershipPrivilege 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe Token: SeDebugPrivilege 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exedescription pid Process procid_target PID 3068 wrote to memory of 568 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 32 PID 3068 wrote to memory of 568 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 32 PID 3068 wrote to memory of 568 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 32 PID 3068 wrote to memory of 568 3068 2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_4d66e5d97d69602b5f7f456a4c11cf2b_lockbit.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 27202⤵
- Program crash
PID:568
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a9473f7a3a65e307ba359b18b43989d6
SHA1fa293f4049fc594196c1b8082f6c138745a3aed8
SHA2569d7ab21c9388b85e9d39ae6fe40e78ad0fcc385f52ecb8ea4f3db541f155c224
SHA512b9af0cbdf06ce43e0ea6246f32046dc40a402c32b7d81b52ddee0c5ae875956ebb3453307286f0fc2433da4098880b593cbafee9f73be341c5357fba6b012ae9