Analysis
-
max time kernel
88s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 10:01
Static task
static1
Behavioral task
behavioral1
Sample
LoaderCrack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
LoaderCrack.exe
Resource
win10v2004-20241007-en
General
-
Target
LoaderCrack.exe
-
Size
13.8MB
-
MD5
6b7d4fbeea8898c09dec037a5603ccfc
-
SHA1
1c05bf1404bf9e5d5bf6d4f6a51bd1593010bf95
-
SHA256
42cdd8756d31e393e6a0d447dc36a6439f1683ab5be45fc08d90f826a5c1390c
-
SHA512
78bfd5513dbc968612d36bd5058c28054459f60f1021893e514ce853c514afa6b15b0318b9f453274a4e8e9ec4bff216bec859241c115c7fee6194791a240332
-
SSDEEP
393216:RZhibf3qeZdLLUcTLRU0MLYJJKMqNtDH4x1mpLg+glX5h:1ibVZB3RTZ1qNtcxw2+g3h
Malware Config
Extracted
C:\yEdTs6uGy.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (664) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 1CFA.tmp -
Deletes itself 1 IoCs
pid Process 3544 1CFA.tmp -
Executes dropped EXE 1 IoCs
pid Process 3544 1CFA.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini LoaderCrack.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini LoaderCrack.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPj45bmil4373fktebdw_n3b8w.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP11p0i1mmmbat_qrl5r04qazsb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPypi2mz0p_op780idcrxxek3_d.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\yEdTs6uGy.bmp" LoaderCrack.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\yEdTs6uGy.bmp" LoaderCrack.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3544 1CFA.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LoaderCrack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1CFA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "10" LoaderCrack.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop LoaderCrack.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\yEdTs6uGy LoaderCrack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\yEdTs6uGy\DefaultIcon\ = "C:\\ProgramData\\yEdTs6uGy.ico" LoaderCrack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.yEdTs6uGy LoaderCrack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.yEdTs6uGy\ = "yEdTs6uGy" LoaderCrack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\yEdTs6uGy\DefaultIcon LoaderCrack.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe 3832 LoaderCrack.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp 3544 1CFA.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeDebugPrivilege 3832 LoaderCrack.exe Token: 36 3832 LoaderCrack.exe Token: SeImpersonatePrivilege 3832 LoaderCrack.exe Token: SeIncBasePriorityPrivilege 3832 LoaderCrack.exe Token: SeIncreaseQuotaPrivilege 3832 LoaderCrack.exe Token: 33 3832 LoaderCrack.exe Token: SeManageVolumePrivilege 3832 LoaderCrack.exe Token: SeProfSingleProcessPrivilege 3832 LoaderCrack.exe Token: SeRestorePrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSystemProfilePrivilege 3832 LoaderCrack.exe Token: SeTakeOwnershipPrivilege 3832 LoaderCrack.exe Token: SeShutdownPrivilege 3832 LoaderCrack.exe Token: SeDebugPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeBackupPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe Token: SeSecurityPrivilege 3832 LoaderCrack.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE 2584 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3832 wrote to memory of 4128 3832 LoaderCrack.exe 91 PID 3832 wrote to memory of 4128 3832 LoaderCrack.exe 91 PID 4032 wrote to memory of 2584 4032 printfilterpipelinesvc.exe 103 PID 4032 wrote to memory of 2584 4032 printfilterpipelinesvc.exe 103 PID 3832 wrote to memory of 3544 3832 LoaderCrack.exe 105 PID 3832 wrote to memory of 3544 3832 LoaderCrack.exe 105 PID 3832 wrote to memory of 3544 3832 LoaderCrack.exe 105 PID 3832 wrote to memory of 3544 3832 LoaderCrack.exe 105 PID 3544 wrote to memory of 4160 3544 1CFA.tmp 106 PID 3544 wrote to memory of 4160 3544 1CFA.tmp 106 PID 3544 wrote to memory of 4160 3544 1CFA.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\LoaderCrack.exe"C:\Users\Admin\AppData\Local\Temp\LoaderCrack.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4128
-
-
C:\ProgramData\1CFA.tmp"C:\ProgramData\1CFA.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1CFA.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1604
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C46ADF15-F609-44FF-AF1F-24D3D816B1A8}.xps" 1337898968415900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c5aa48475d2318f9d6acb4cb9c58f275
SHA133ccb4c66bec06b6ea756ebf229c3c2cf4626a49
SHA256b8976cb5d190a2c9ac661597527b1cf3fa12423c51ec1e1db1fe38e577b9dd36
SHA5121a36e3e4944eadcbd1a5ead9a91ccc82b20df71f865fab4d4bc8441817caff52e8163f746f160fc0f4feacb95970cccc93b67aa9c41765d38034232ba5586c5f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
13.8MB
MD5938eeec4d8edfdd3f4497fa0ac8033a8
SHA1a389a4dc789f5cbe911377200ffbaec334eb8f26
SHA256b829f77a40a475919d2b1bc3fcc400248cbce394a957c38ea9bc13e2e7ae6850
SHA51266902a71336a67719eb446b7a8c07b9063ea079568fe0bf70c2e5ccccb565afcbf984a67e000e3d429377a554127b09a55376fbf36f9d765edd13cea3b796974
-
Filesize
4KB
MD57bc1917feb38f5c58cbf75a49aed1f9a
SHA1e419ec1217f30d33f90eea63ad1492640912886b
SHA25659bd18edd93f551826d7e76b75cdb732eb2efe9a68555ea36a3b4cec765ac9f5
SHA512fa3caa4974730fd55e8e8d408a57677ef76061d50d77170feee980a41a86d9c440994f08d9d62554e6ee5bf25e3f4335d03d09250bd04e244556b5d1a73ce164
-
Filesize
4KB
MD51946246b629d131a0f38611b2e5d7ef6
SHA102d0189f3413574b2748c5f3a7ecf2d9ef3d4333
SHA256cfb8716c5a90fb016f7cc0ec3d0771417dfa6dfe19a6f10f3c9a000a0331c625
SHA512c8aca5e051c45e21f77acd4d52f51afce87ebce333d357f5bbb46daa072f2851351bb4b8bf812dd182cac76ea3811f2d3218bf1eaab5c67ebbd364120ad0882f
-
Filesize
6KB
MD5da543783749e02a9b451ec822390c159
SHA124efc11f280ded6f19dac9ec54e8364240cb26a2
SHA256a6982fbf7dd4fe2c2561cc07fc6de02c2ab599e1a015c605fb54dc508fcfb321
SHA5127fbc5ed3c1d15fb6aaea270e9bc69a2ccad7eb1ffdb19ef7309962362f5cffa8b43a491666113348119618d46d3713529b933926fb3e9460ee1a784969292003
-
Filesize
129B
MD5da710383684ad003524e92c259fcdb5f
SHA123e486dbfaca841160c061f520a042a62f3277a7
SHA256186167ec129ee023c71d39b039338347d967dbfb33e4602f0474b843578cb1fa
SHA512e8cc68d1910c93b4f7e37a99f2e69c49a1713baf6eda0a86dc7487f2780f580348cf876879ad11ed6f23bf9ec147d8c0edb39cc0feb7ef7fe587e4ef88f61bda