Analysis
-
max time kernel
8s -
max time network
81s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-12-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
LoaderCrack.exe
Resource
win11-20241007-en
General
-
Target
LoaderCrack.exe
-
Size
13.8MB
-
MD5
6b7d4fbeea8898c09dec037a5603ccfc
-
SHA1
1c05bf1404bf9e5d5bf6d4f6a51bd1593010bf95
-
SHA256
42cdd8756d31e393e6a0d447dc36a6439f1683ab5be45fc08d90f826a5c1390c
-
SHA512
78bfd5513dbc968612d36bd5058c28054459f60f1021893e514ce853c514afa6b15b0318b9f453274a4e8e9ec4bff216bec859241c115c7fee6194791a240332
-
SSDEEP
393216:RZhibf3qeZdLLUcTLRU0MLYJJKMqNtDH4x1mpLg+glX5h:1ibVZB3RTZ1qNtcxw2+g3h
Malware Config
Extracted
C:\yEdTs6uGy.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (502) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2584844841-1405471295-1760131749-1000\desktop.ini LoaderCrack.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2584844841-1405471295-1760131749-1000\desktop.ini LoaderCrack.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LoaderCrack.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\yEdTs6uGy\DefaultIcon\ = "C:\\ProgramData\\yEdTs6uGy.ico" LoaderCrack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.yEdTs6uGy LoaderCrack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.yEdTs6uGy\ = "yEdTs6uGy" LoaderCrack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\yEdTs6uGy\DefaultIcon LoaderCrack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\yEdTs6uGy LoaderCrack.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe 760 LoaderCrack.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeDebugPrivilege 760 LoaderCrack.exe Token: 36 760 LoaderCrack.exe Token: SeImpersonatePrivilege 760 LoaderCrack.exe Token: SeIncBasePriorityPrivilege 760 LoaderCrack.exe Token: SeIncreaseQuotaPrivilege 760 LoaderCrack.exe Token: 33 760 LoaderCrack.exe Token: SeManageVolumePrivilege 760 LoaderCrack.exe Token: SeProfSingleProcessPrivilege 760 LoaderCrack.exe Token: SeRestorePrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSystemProfilePrivilege 760 LoaderCrack.exe Token: SeTakeOwnershipPrivilege 760 LoaderCrack.exe Token: SeShutdownPrivilege 760 LoaderCrack.exe Token: SeDebugPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeBackupPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe Token: SeSecurityPrivilege 760 LoaderCrack.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LoaderCrack.exe"C:\Users\Admin\AppData\Local\Temp\LoaderCrack.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1512
-
-
C:\ProgramData\F761.tmp"C:\ProgramData\F761.tmp"2⤵PID:240
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F761.tmp >> NUL3⤵PID:1320
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3000
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵PID:1936
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{AE8FECE8-E173-4845-ADAC-3F0E4B9C7AB2}.xps" 1337898945379600002⤵PID:3892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5655ee3f7216f0de24457996b52b531df
SHA119ef712caa2afd01cc923efaa2d7b6f677d86523
SHA256bbef511deabd28a06dc79a088a2825c959b6601ddb95b7d78d865f1874867a97
SHA5124455a6041a595a795435adeb75c88f062960c018a7b544222682e47f0057f11211c042188e9f06d216ec762458e524769e21855a2101c20a6aa643a0edf4776d
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
13.8MB
MD521fa32e462502a2d7d5356237bdf7818
SHA116e1ea82c017a821a6488bbfb6d66a518cd829df
SHA25649630cceaf68c67e633be71f4a4eb64f37c3eb6b5f1cd54a86dbd72b72112588
SHA512bf4e770066ebda933cf24392f91a81a6eebbdcd3ce0218329ef90af29a476c8a78e6bbedd6c7af61ddc47b4c00e3d617e3e467ba7a6f4f47622da461150d9af3
-
Filesize
4KB
MD53daec69333e0a8220472c8880d8e4728
SHA10e2adce73ab9705ad21236019b1d6170c9e8cd70
SHA256557f294b7e9fecf4a1286ace496508cd94929e4ac254ace80bc9c3ed021aabae
SHA5125ee2af2c9094ba2607af406312247a5d3777e9b0691e5490d2c393cbcf62af7fac0946357925bbe0826c586edd172ab70b39b3e061dfa2e24b8afa0736a5fca0
-
Filesize
4KB
MD56b6bec4047eead8d0a48de2d03decd64
SHA14047cecd2e8b7bb940fded27a370c2764759a873
SHA25637013bcb9086811078c702e2c25f3333b589510f1dcc6cc7a1d781bec9d98fbf
SHA512628c7e6f7d7cb0546ce5875ce20bccf6db2b47c9cbce232e643c87b8ea72fc77586367d8510c9e45edaab479d1276ba9f4051985dee6db1ca0866f5eca156d68
-
Filesize
6KB
MD5b38470648533fde5a3feb2ed9bce7ea5
SHA1824e2294fcf97ed0bf3eff9d52233f937ef43a45
SHA256e5053baf4e970c787ba7cff0e7bfc8a1a8d47b4d3a7ee4ef656a36480aeb826f
SHA5126a91df8c3da7913dea61775d291fbd36e1990722cade9dc6376772955a56fe706c95ee57dccbc898ee6541fd0ef96e1110bcf863c7d3bf9b0f535df591ceb6ae
-
Filesize
129B
MD5ecc2354b5918781f884d4aaa95bc24a4
SHA1b14e38e5994ee942d24a634eae14872fa094ec40
SHA256a7b4bd5c7561efe775890b085ca8ecf1d65e6305ba66ffa5a3036306f97daebe
SHA512cb379e646ffce132905f1e353dfcfca3820167ae755e9036a4e7b668429b44c8f0dcc349a03ed48659eac4c12562522f7882ba6d9d1fa0b0d0f9fb2254756ef7