lockbit

Sharing

Copy URL

Twitter E-mail

General

Target

lockbit (1).7z
Size

8.8MB
Sample

241202-zz2hhasqev
MD5

a1beeabd1bccb8266631e4cce53eea26
SHA1

917975f62cda9bac4badbb09d4f5e99936e5c30e
SHA256

9f3a43ab58c24e5394021009092be2d3ecff413aa57a440542e3b2a827fd9b54
SHA512

b6fe92909419e8eddd1eb3139c11ee968f6b6cd1b95073fde356faa707e46ffec42a819c732016175bcc4aac8da187fd75cea7b857fc1e693c6ff8a86aa1815a
SSDEEP

98304:ciMFZDHZg7++Bfe65+PdBMgV3c2Xi5DyVZD93tNmD/+IV78ZtUV+kIpOjs7D6c6Z:ciIZD2S+BfD5hEtyVGUEOA/+kU5pXn

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670AB79AE6FB7B7E795C | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AB79AE6FB7B7E795C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.com/?BD61F8CA9173670AB79AE6FB7B7E795C

http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AB79AE6FB7B7E795C

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670AB7ED88EACE22F4EF | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AB7ED88EACE22F4EF This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.com/?BD61F8CA9173670AB7ED88EACE22F4EF

http://lockbitks2tvnmwk.onion/?BD61F8CA9173670AB7ED88EACE22F4EF

Targets

- Target
  
  lockbit (1).7z
- Size
  
  8.8MB
- MD5
  
  a1beeabd1bccb8266631e4cce53eea26
- SHA1
  
  917975f62cda9bac4badbb09d4f5e99936e5c30e
- SHA256
  
  9f3a43ab58c24e5394021009092be2d3ecff413aa57a440542e3b2a827fd9b54
- SHA512
  
  b6fe92909419e8eddd1eb3139c11ee968f6b6cd1b95073fde356faa707e46ffec42a819c732016175bcc4aac8da187fd75cea7b857fc1e693c6ff8a86aa1815a
- SSDEEP
  
  98304:ciMFZDHZg7++Bfe65+PdBMgV3c2Xi5DyVZD93tNmD/+IV78ZtUV+kIpOjs7D6c6Z:ciIZD2S+BfD5hEtyVGUEOA/+kU5pXn
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  29.04.20TASKMNGR
- Size
  
  148KB
- MD5
  
  a7637dfb6b9408fe020d9333d0ade6dc
- SHA1
  
  930c34743ab12c80512723db0aa7b8b4762fcc84
- SHA256
  
  cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
- SHA512
  
  a522e3be00f3c32cd318cca7995e0f6f604a0590de3f4c2830920347328d405d178bdd2c2406e3b835cc5e5037e2d2348456b138878644231af94e51fc4b4e94
- SSDEEP
  
  3072:ym0ROZIL87L1yoklfzGp3XjRaDyZYMqqD/A+lHlC:ypMCL8rpHjRa0qqD/NjC
Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (9382) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  System Volume Information/IndexerVolumeGuid
- Size
  
  76B
- MD5
  
  72f4cc02f249d5cac6874facdf4e7b43
- SHA1
  
  f1f646083cec837fdef024924a22da3c88684b2b
- SHA256
  
  a7f40417f7140d9d652ca57c5bb2bb8c36094dd52d5d00b0887aac79ef423950
- SHA512
  
  5339fe01d217f0b1ca86427c9e10d4024ebc1de3273812d444e720f0d4b512e37a9e1c2668555415df5e5139985892e66dca69f6ff0b2a35fec11dc1e2022657
Score

1^/10
behavioral5 behavioral6
- Target
  
  System Volume Information/WPSettings.dat
- Size
  
  12B
- MD5
  
  7b11d83dea9ba26c185e926330cfada8
- SHA1
  
  450fe46e9c9c93f452cbbfc0fc779e40b8523e1d
- SHA256
  
  fa2c91106eec8837aa04ed911e7292667ee3059b109dce87108a05fdcf3dc8ed
- SHA512
  
  5486517e3bff8a6ba6bb4048ef7f63d4f6792f83a91c3f802833a92052bf514d40e9add6f5cd7bb0b2119fb37d8311d4fe088366c4ba3c179b31c76f18a2901e
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Vacuum_Nanostructuring_Marton.doc.lockbit
- Size
  
  45KB
- MD5
  
  b68e1ca5f7e24a344ca9262b4a8c34ca
- SHA1
  
  11cb6e8a38dd26b00f6503debfbb52f97a0d6024
- SHA256
  
  af0821ba5e0889e21f6246c7f33d89caf320a5452e620d28d39948fde3ea20ac
- SHA512
  
  0233f6b9128c93bf545ba2d48b9df676ca02b90da929c63c3b509e4140d4089bcff1d0c428816c88c5a3b06fe5249193e23e8b00d3bee164d791c770d1b6aef8
- SSDEEP
  
  768:ivXzZXd+7MopNlHCgKldths98e0ao8WL3E5MSCjLI29OZBZ4kBaYp5:2zld+Jpcl1Q8eBWL3S4LiZBvBaI
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  snap.78N1BA9-1.200421.144153.tgz
- Size
  
  10.5MB
- MD5
  
  54aa5e777f8f73bb7cb8daea5cfb99bf
- SHA1
  
  c17dad826b937467d9027e2400b0fa8d35027330
- SHA256
  
  ff6cec14a3024dc65c256e802f7144f8e1dc545a9f1b8a9000c429793a5cac3d
- SHA512
  
  a1a11d293d3e92368184080c070dae0c470c0f041e32a9c02954649429d49f60e78e6d0e6c52ad67763919c7cf9e61be51cc4add7881731f1fb0b34d0cc4bb4e
- SSDEEP
  
  196608:DY036ZN7m+i93kJhxupRCknB/eIQYFJWv:NA55Juao3QYFJs
Score

1^/10
behavioral11 behavioral12
- Target
  
  snap.78N1BA9-1.200421.144153.tgz
- Size
  
  188.3MB
- MD5
  
  bf1b5fb1b74038fe40df63447bc295e4
- SHA1
  
  328e010d5297190799c8da9d96beeb71984f6498
- SHA256
  
  b575cc4e3ad799fa263f555b314195b3980405e56f81a8de04e7fb0748586cdf
- SHA512
  
  c899cbf5f800a7b63416af904c73e9246f32e488e3fc236a3a8f9500b6168842f53fa5d71f36fc5febe8e28aecf9859d772afa8d847dc6842be7ee8ff14ad16a
- SSDEEP
  
  49152:7NBqsO0PP6hzowhxNR2UK6LnQG5FrjXBvN/FCrSffGKBUMHE84L5csTOVd8Z64f0:sovu
Score

1^/10
behavioral13 behavioral14
- Target
  
  compass/version
- Size
  
  16B
- MD5
  
  69f97509ec585505abded66f778e57ec
- SHA1
  
  fd96fafa93c7c953157481d9fda21ae7d6591496
- SHA256
  
  b835bccbe49fbcf877e7d4930777d248f5077d67cde48a25ff67ebe850a08c6b
- SHA512
  
  9bc266471e77454d17003e3e93a521ef4c4332e594fb30c43eaef26176f8ae130ca9dfee55bef08f8a343b6a3dae038b9975a3a70b6cc162805fb9235298c4d1
Score

1^/10
behavioral15 behavioral16
- Target
  
  compass/vrmf
- Size
  
  8B
- MD5
  
  d7b64c3bcaa8356c9004daca73d56cff
- SHA1
  
  5b340ba43b98398b81685ce5230ac2baa6baffe0
- SHA256
  
  dc2b627ec8e006ef31d8382e6e9d8a58d93e803e5d3f8c2b8b07998ae5eca6ce
- SHA512
  
  d8d5ca10ee851cd9fbe5e7e94ad0b536dc5166a4b9465927dff05e25acba2582dfd5894bb9e3b4371fede3d67ea0e541d41fafc751b3d1dabd7f4c4afe8d80ee
Score

1^/10
behavioral17 behavioral18
- Target
  
  data/vpd_cluster
- Size
  
  978B
- MD5
  
  1f8c213d530643ea7d8518199ed95022
- SHA1
  
  5602fabcea30c50190f8f57024ed40665fb13d8e
- SHA256
  
  f10d92e70367aaac7ac1f2456855e991867e8740028bf86b7d4ebaa5f92e8477
- SHA512
  
  87262aeeb191d0b8ad4a31c6903d7244a7a8b1187f9b1fa122e20b1c07e60c41d68f783e06de6db819078eb4fec7c8291980163e6c7ecd7501ed150ae06e070b
Score

1^/10
behavioral19 behavioral20
- Target
  
  dumps/78N1BA9-1.trc
- Size
  
  214KB
- MD5
  
  c535d21fc62857c939690bf3b79b83b4
- SHA1
  
  b453ea25e2da1d88361a0604bb1701ec720dd58b
- SHA256
  
  5e079750b3b6c19ddd18580af884f93a369a71b2fd06952896c2fee6f8da5f08
- SHA512
  
  50cf6764da2b97808115b2d13cb8a2186b9e1890519842390d94d8283895eb564e4a16be4920e8b7a0c2dd70c49bf63db02b2c53f358f554c4374246e242b414
- SSDEEP
  
  1536:9FCKR8au1jzUL9POQwyysE2Cip5kl8ljVDrCE3O73F6Rrkl5RA3+J9XWD0D7RA3O:dR8au1jzUL9POQB/Y/aV2zV/dzpFlH
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  dumps/78N1BA9-1.trc.old
- Size
  
  270KB
- MD5
  
  d51b5c23deda2f6794abe46e5ed9bbe2
- SHA1
  
  eba583681e4c5e0dec8a041030a2c75c4996e7a8
- SHA256
  
  50a83de16a2916b5f4d40c81bd8822d3bdcd1632d9570864483a78550840d6e0
- SHA512
  
  4097070bf94c0e6f895823f1cbbd07cc16ecdcfc8bb698cae5edf4277aef6b3e159fe978cac533c6d2e89a5b447d43721e4279cd25029ad432e568b5acb1ed7b
- SSDEEP
  
  768:ePR4RCwy2XljMGOt+PaZR5m8kxrtt86IrOigXBvlEjixe66Timeff1yxq54p8qMH:CGXIj0ffc8ai/CjqJ17xvl4kG3p7mXp
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  dumps/78N1BA9-2.trc
- Size
  
  255KB
- MD5
  
  736e1aeca9e4ec8ba1d05bb1a13fac33
- SHA1
  
  99421fbc90e974ea815810ce6966136d370c745a
- SHA256
  
  617c40724efcf2b987342e8ee86bd049c6c5883cd1eb8b72e3ddc22fbe32446f
- SHA512
  
  476344f7b50000649618a579364c7707a4e758324b19311b3a5616638ea4d91d1cc3aaf53f4da4c9091c53fb8226e619c68aa10437cce91d3d00eb729bdd85fd
- SSDEEP
  
  1536:bAmnFXGb56rZL92UDLKt/STa3SGS3PXPklEincMLIwSL1rz8OboB8inMr5u+m/Ic:bAmnFXE6rZL92U7BL1J+EBtcoXAna8Lf
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  dumps/78N1BA9-2.trc.old
- Size
  
  281KB
- MD5
  
  dce0c0ab19e3c511b6b0bf01407cb34d
- SHA1
  
  2ff85a3d9b7378e4cef1bbf3edfdaab846b8f626
- SHA256
  
  017e6a48bbecd9032de1b70ce459a4565b9a1cd463b9c925e86668bf247cc929
- SHA512
  
  3ef3d9238039e9b292895d0c7bde80438c9ada2ad6486f62c172064db75bc1aed87053305362117f863c7c6992934c3dcf6905066bef1c986ae22dc7abb3306b
- SSDEEP
  
  3072:6J8Q9V0u5ID3HupeKB15IxvzYaixzW0HD:6J8Q9V0u5ID3HoeKL5IxvzYaixzW0HD
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  dumps/acpower.78N1BA9-1.trc
- Size
  
  1KB
- MD5
  
  154c15ede1e508358273ae4e25312a8d
- SHA1
  
  35ea0f8086934f898ad2a01d6c0a81d8309c01ea
- SHA256
  
  eb2748dc6f5cee6a9f556a0c866a37239235bb681adabfbd169202d4701d62b5
- SHA512
  
  83fd691a159fa30e134396b731559bfb021f9624c766cf3901a58185c457eb81de8222f7cab3481e626abb506fe528853732b9ea009b67b4ff7baefccbed611d
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  dumps/acpower.78N1BA9-1.trc.old
- Size
  
  15KB
- MD5
  
  09dfefc94677f65a168582f5ae89e76a
- SHA1
  
  9365afa3dcf1d560d10484a18a2eea53c1a0fa23
- SHA256
  
  7711ff973bd9ec7374e8d474117cc730f6e63e47a81fcb070e8a604b5c6a658b
- SHA512
  
  aba907d896bb8c7ef9a1ed139f67fcb4fd14d8076da8cbd4419b4fc03b2f52c1d29cfa82e5dc0cca383ab9f8c698484b94bd73335e13a43ccd44b5677beeaeb7
- SSDEEP
  
  384:vEkbi+OzXu97mP+rAmQHyHBBBBOOOOd4EK:vEkbi+OzXu97mP+rAmQHyHBBBBOOOOdu
Score

3^/10

discovery
behavioral31 behavioral32