lockbit | 7f899996d4bc193a1739b8f9ca51a7f46a7d41007f472df5622208e2db62b232

Sharing

Copy URL

Twitter E-mail

General

Target

Lockbit-Ransomware-Builder-main (1).zip
Size

283KB
Sample

241126-r6h1qswjax
MD5

0f4c1f0cbe1e3ad1b4fdb0f8de101938
SHA1

c7edeff3353e58c4133fb456d17ac6593c1882c4
SHA256

7f899996d4bc193a1739b8f9ca51a7f46a7d41007f472df5622208e2db62b232
SHA512

98793bae94bfb3baff6f3f76d2c9251eee64d5ec305f3b2384b2bf5157872a1cb83809fa4a5fdb40ed4bd14761936ce43a6c3575e17a2c91b6df7319db06ecbc
SSDEEP

6144:eW+LYvU1+OsOtX2lUFW+LYvU1+OsOtX2lUpW+LYvU1+OsOtX2lUK:WeItX2l2eItX2lUeItX2l9

Score

10^/10

Malware Config

Targets

- Target
  
  Lockbit-Ransomware-Builder-main/Builder.exe
- Size
  
  146KB
- MD5
  
  39c9477cf131ca5ccc05c8871c0e10e6
- SHA1
  
  07b2581b2cb41053d09c4bb896aaabc1d28f2a7b
- SHA256
  
  939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb
- SHA512
  
  689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129
- SSDEEP
  
  1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT
Score

9^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (314) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Lockbit-Ransomware-Builder-main/Decrypter.exe
- Size
  
  146KB
- MD5
  
  39c9477cf131ca5ccc05c8871c0e10e6
- SHA1
  
  07b2581b2cb41053d09c4bb896aaabc1d28f2a7b
- SHA256
  
  939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb
- SHA512
  
  689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129
- SSDEEP
  
  1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT
Score

9^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (344) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Lockbit-Ransomware-Builder-main/KeyGen.exe
- Size
  
  146KB
- MD5
  
  39c9477cf131ca5ccc05c8871c0e10e6
- SHA1
  
  07b2581b2cb41053d09c4bb896aaabc1d28f2a7b
- SHA256
  
  939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb
- SHA512
  
  689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129
- SSDEEP
  
  1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT
Score

9^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (341) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  Lockbit-Ransomware-Builder-main/README.md
- Size
  
  3KB
- MD5
  
  224f96bf0512ce83183b44f1b4af5280
- SHA1
  
  edc014dd786fd63056f5af38053cafa15f2b4d25
- SHA256
  
  918dda007f7c531c4340c84c966ed9c97f4155f5547a5721c3a4cb6c9fcbcd20
- SHA512
  
  dea4e0d1aa0162cbdd4deb8df9a5a9c0b8777c890c6d61be143d670e436c1fad86485eb2fdc63952b42c65647fbcef63e32f8b4d7891c5788e11a4017b3dd27c
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Targets

Renames multiple (314) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Renames multiple (344) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Renames multiple (341) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8