Overview

overview

10

Static

static

10

7cb6f984f0...d1.exe

windows7-x64

10

7cb6f984f0...d1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1

  • Size

    146KB

  • Sample

    241004-xpmkgsvgmd

  • MD5

    23f8091893512fa2635817a2f51df391

  • SHA1

    9f7f2ba48752e37baadd4c35febaa58d613e3194

  • SHA256

    7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1

  • SHA512

    b4b9fc55bb944c8c657cf737ba0c8de17a09ec121591faac468b9c89182d45d910301f248d78134d78504de437a124208b6038a0047503f65e6cd1125490755c

  • SSDEEP

    1536:wzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDY4zGqaGKGcNY3XZ2Vsz1bl8HXo:PqJogYkcSNm9V7DLzxaGb522l83qtZT

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\mqmQaLLxg.README.txt

Ransom Note
~~~ LockBit Black Ransomware Since 2024~~~ >>>> Your data are stolen and encrypted Price = 2000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: NEWWERTYFG34A48MK4D6D53 + Name.README.txt >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Targets

    • Target

      7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1

    • Size

      146KB

    • MD5

      23f8091893512fa2635817a2f51df391

    • SHA1

      9f7f2ba48752e37baadd4c35febaa58d613e3194

    • SHA256

      7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1

    • SHA512

      b4b9fc55bb944c8c657cf737ba0c8de17a09ec121591faac468b9c89182d45d910301f248d78134d78504de437a124208b6038a0047503f65e6cd1125490755c

    • SSDEEP

      1536:wzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDY4zGqaGKGcNY3XZ2Vsz1bl8HXo:PqJogYkcSNm9V7DLzxaGb522l83qtZT

    Score
    10/10
    discoveryransomwarespywarestealerdefense_evasion

    • Renames multiple (5363) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks