Overview

overview

10

Static

static

3

69d0a3e049...6N.exe

windows7-x64

10

69d0a3e049...6N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69d0a3e0498fa0f11d88f0ede6a95635e319db742ad8ece64934a80a6ef525a6N

  • Size

    9.5MB

  • Sample

    241009-tlm53aydpm

  • MD5

    d62e0db3e0ad4755edae9741328c24c0

  • SHA1

    a5b5b1b5f4df91a23d1809f02881dc4663683d3f

  • SHA256

    69d0a3e0498fa0f11d88f0ede6a95635e319db742ad8ece64934a80a6ef525a6

  • SHA512

    2cb1d62fa77afd58a632a9b7988fdfe52578f92b2132aa93d8ab6685009d1ac9ad4d42629c5ad59b8db812f3386babf8129e4ce378de0d937402a83ed2630113

  • SSDEEP

    196608:AimE4n6CwYR0Xcr7PnILLZWdoCOid3tlKXeXWnA7bxIzGrPp/ythn:4E46CwYqXcr7M5li/lKPA7bxIEZY

Score
10/10
lockbitdefense_evasiondiscoverypyinstallerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Targets

    • Target

      69d0a3e0498fa0f11d88f0ede6a95635e319db742ad8ece64934a80a6ef525a6N

    • Size

      9.5MB

    • MD5

      d62e0db3e0ad4755edae9741328c24c0

    • SHA1

      a5b5b1b5f4df91a23d1809f02881dc4663683d3f

    • SHA256

      69d0a3e0498fa0f11d88f0ede6a95635e319db742ad8ece64934a80a6ef525a6

    • SHA512

      2cb1d62fa77afd58a632a9b7988fdfe52578f92b2132aa93d8ab6685009d1ac9ad4d42629c5ad59b8db812f3386babf8129e4ce378de0d937402a83ed2630113

    • SSDEEP

      196608:AimE4n6CwYR0Xcr7PnILLZWdoCOid3tlKXeXWnA7bxIzGrPp/ythn:4E46CwYqXcr7M5li/lKPA7bxIEZY

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealerlockbit

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (315) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks