Overview

overview

10

Static

static

3

29.04.exe

windows7-x64

10

29.04.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lockbit1.7z

  • Size

    8.8MB

  • Sample

    241202-z39chstjaz

  • MD5

    a1beeabd1bccb8266631e4cce53eea26

  • SHA1

    917975f62cda9bac4badbb09d4f5e99936e5c30e

  • SHA256

    9f3a43ab58c24e5394021009092be2d3ecff413aa57a440542e3b2a827fd9b54

  • SHA512

    b6fe92909419e8eddd1eb3139c11ee968f6b6cd1b95073fde356faa707e46ffec42a819c732016175bcc4aac8da187fd75cea7b857fc1e693c6ff8a86aa1815a

  • SSDEEP

    98304:ciMFZDHZg7++Bfe65+PdBMgV3c2Xi5DyVZD93tNmD/+IV78ZtUV+kIpOjs7D6c6Z:ciIZD2S+BfD5hEtyVGUEOA/+kU5pXn

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670AC976BE61A0955896 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AC976BE61A0955896 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?BD61F8CA9173670AC976BE61A0955896

http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AC976BE61A0955896

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670AC82D8590E4B9CE65 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AC82D8590E4B9CE65 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?BD61F8CA9173670AC82D8590E4B9CE65

http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AC82D8590E4B9CE65

Targets

    • Target

      29.04.20TASKMNGR

    • Size

      148KB

    • MD5

      a7637dfb6b9408fe020d9333d0ade6dc

    • SHA1

      930c34743ab12c80512723db0aa7b8b4762fcc84

    • SHA256

      cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1

    • SHA512

      a522e3be00f3c32cd318cca7995e0f6f604a0590de3f4c2830920347328d405d178bdd2c2406e3b835cc5e5037e2d2348456b138878644231af94e51fc4b4e94

    • SSDEEP

      3072:ym0ROZIL87L1yoklfzGp3XjRaDyZYMqqD/A+lHlC:ypMCL8rpHjRa0qqD/NjC

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9392) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks