General
-
Target
2024-12-15_aecba8b7d020a31ed5aa006290701735_lockbit
-
Size
959KB
-
Sample
241215-v6whlssrfp
-
MD5
aecba8b7d020a31ed5aa006290701735
-
SHA1
3b8c729db2944bf45d4471a40fc1d8476e0fa59a
-
SHA256
fdb2e3913185b9f53113fc7ad7a491515335eb09c054390322f4079fbe4451ed
-
SHA512
01586ccc06ae0eb984adb4008f1a6f10cd5544311a5ef0d05094778d6bb6d1e241396a354b9f9a5d9802aa838b16edb595d8434ae80405663bf852cfb97535b8
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdvF:Ujrc2So1Ff+B3k796p
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-15_aecba8b7d020a31ed5aa006290701735_lockbit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-15_aecba8b7d020a31ed5aa006290701735_lockbit.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
2024-12-15_aecba8b7d020a31ed5aa006290701735_lockbit
-
Size
959KB
-
MD5
aecba8b7d020a31ed5aa006290701735
-
SHA1
3b8c729db2944bf45d4471a40fc1d8476e0fa59a
-
SHA256
fdb2e3913185b9f53113fc7ad7a491515335eb09c054390322f4079fbe4451ed
-
SHA512
01586ccc06ae0eb984adb4008f1a6f10cd5544311a5ef0d05094778d6bb6d1e241396a354b9f9a5d9802aa838b16edb595d8434ae80405663bf852cfb97535b8
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdvF:Ujrc2So1Ff+B3k796p
-
Lockbit family
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2