Analysis Overview
SHA256
bb176c4f2cbbe4f80f3efcde3121d0ec79a2c05f9825f20445cd0b34aa05e483
Threat Level: Known bad
The file 311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.zip was found to be: Known bad.
Malicious Activity Summary
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
Renames multiple (332) files with added filename extension
Renames multiple (632) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 06:35
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 06:35
Reported
2024-11-06 06:38
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Renames multiple (332) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe
"C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
Network
Files
memory/3044-0-0x00000000000F0000-0x0000000000130000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\AAAAAAAAAAA
| MD5 | 0ac1bec6f3ef0989b9924ea201db6d52 |
| SHA1 | 92afce4abacf9554cb34246781c1ba61cd49e1a1 |
| SHA256 | 5a6be4cf8dcb6cd8ff46b3ae249bc7312a85066849b120f6b7ff3b78c434360e |
| SHA512 | ed4197b956c64e2ab87b11e08996023993ccfc728a3f416058f47d2694ed93d205b67833942b9927a77424c702041d70f7960b3532be79fe8160b00535bef1a3 |
F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DDDDDDDDDDD
| MD5 | 77303c429ea7233b546fc9f5181ef334 |
| SHA1 | d1305d798eb747c0b0af445fdd442a07daa3c3e4 |
| SHA256 | ea1385ecaf62c4a638050919e7b1176f024b4a0c793a67a31653187ee80eab16 |
| SHA512 | ae1b352b62da529d8dc0bc3995ac5fff8e494c56be6916b9a4ecca7962e40d7e67d045c96565333bbf72bea381c9c5fc07c9419aa5267eef2999ac10b4d2b473 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\C982342375C355A44C213031EEAC97222E1367E1.FihqnBxYm
| MD5 | 8f4c38a7266a79f0998e1764d12b9f34 |
| SHA1 | baecc79c48ba6de7db98b0bce7579302a7fa1889 |
| SHA256 | 8999310b6091a46d09baf357650cfb60671d0093e1a6f44c10f48dd5cd67693a |
| SHA512 | 6896e136b0585387e03e7233801f34bd1515b72f8cc0ee4d1daa7afc96cf6fb8754e1dcd8da8127a9e976aeea36ca33b84c32ae6d4109d025234ce91faa71f45 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 06:35
Reported
2024-11-06 06:38
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
142s
Command Line
Signatures
Renames multiple (632) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe
"C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3316-0-0x0000000002F90000-0x0000000002FA0000-memory.dmp
memory/3316-2-0x0000000002F90000-0x0000000002FA0000-memory.dmp
memory/3316-1-0x0000000002F90000-0x0000000002FA0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\TTTTTTTTTTT
| MD5 | fd5b8f2c7e19c95abbe69b0992d5025e |
| SHA1 | 32b30a61d1d84143a2fffdc6d6adc4a5ad56744e |
| SHA256 | c90654145d7ee231c1e49a32107d3b55d87a2374f83352c3505d90aa5c509870 |
| SHA512 | 54b92c5b1a2be51801b8c92cbae836b533d545e9c23666918db153559482ec658af56709bf91cc49a78030b81f2fbb428554eb02d01c1f2e34eb93f114617018 |
F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\DDDDDDDDDDD
| MD5 | 2167fe8922d00f7771879d662741a4cd |
| SHA1 | 577612860b23c4a6dfe5b4949f89052865e1ddfa |
| SHA256 | 0b7409fbfefca5c91e32913836792bbc29c4018e67f5d3f43b143427e92b9a37 |
| SHA512 | f4c3177ecc0f07c91df058a3b6c77097a6edef4400fe8c9f1800989bcf3fb1217a53351f15996118f629a3c9039ca43418820b897e064c90f5e36e2750aeaa29 |