General

  • Target

    Builds.7z

  • Size

    1.8MB

  • Sample

    241219-2bystaskej

  • MD5

    484933f81970182e04f190efe2527da1

  • SHA1

    72f0810a0ab7f1398ba9f0b0916ee97115e79cc4

  • SHA256

    3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

  • SHA512

    d9d5d96e13201de976d23783e077bb1f95af3946a44bd1347d637893e471eefed5d9b0de4a7d84d8d2040decf8cea4e3de83555b2424e58ebbc1c7eb4881e37a

  • SSDEEP

    49152:bor7D7eZFTWD/gjKZ4FhydMzOoSGSW7TeXY:UfeZFT48HSCilTWB

Malware Config

Targets

    • Target

      329D6F9DDBF138D4/locker_ESXI_I386

    • Size

      108KB

    • MD5

      a720e32658193a7f76be72363fbc919d

    • SHA1

      9b319e460a7000efd92e91a6f1072c4ee211dcda

    • SHA256

      ab8c2aca725df02bfdbfa0f493575e0dacd4467b2d0cd90c9a6acb66cb14d590

    • SHA512

      5f98f776e82c335f3a16deed12d654e7edb42236511c6eb0484fa0957ee7aa839ac85974864183e0be53333a558856ef39a1181839490b9f111a192dc71c2ff7

    • SSDEEP

      3072:5twJNAs5z2NS/P8BRlzWy5BGOiXj0hvYlx1DtqR5YeC:LwJpagWI9OiXQYlx1DtqAe

    Score
    1/10
    • Target

      329D6F9DDBF138D4/locker_ESXI_X64

    • Size

      93KB

    • MD5

      b76b092f5188ccc8a046ffb4659c3641

    • SHA1

      82e19d8b7bc5379528feb9c3a335d70d79358229

    • SHA256

      dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55

    • SHA512

      bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f

    • SSDEEP

      1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya

    Score
    8/10
    • Traces remote process

    • Reads AppArmor ptrace settings

      Discovery of allowed ptrace capabilities by AppArmor.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      LBB.exe

    • Size

      160KB

    • MD5

      d1986caa455ffa11b46341e837777e52

    • SHA1

      c045c2be676ebba04d7403f3636c7adb685a4011

    • SHA256

      e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407

    • SHA512

      ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359

    • SSDEEP

      3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+

    • Renames multiple (173) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_PS1.ps1

    • Size

      466KB

    • MD5

      17a7cd1ead2d35ed5d69c71d4fd7386d

    • SHA1

      734400d4444b88fe3848c80e3dba2ad9a5155c56

    • SHA256

      20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9

    • SHA512

      7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828

    • SSDEEP

      1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA

    • Renames multiple (144) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_PS1_obfuscated.ps1

    • Size

      274B

    • MD5

      a8e97fe5a7115e42759d67f7e4d88b0d

    • SHA1

      7a4dce9165f34ca44e79b06f3a07281f6cf08823

    • SHA256

      d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387

    • SHA512

      77126af7f207d4ab854e3293936c73591289ca97211823513941bdae60b9da48fc3b829e2819ef1230f86cb8761eab37f6dca61281b2dfc7209ce471af68422b

    Score
    3/10
    • Target

      LBB_PS1_pass.ps1

    • Size

      590KB

    • MD5

      d96d2bcf13d55740f3bb64d45d2db94d

    • SHA1

      4ded4b1d4866a4adf534f5a4eb66386465fe3120

    • SHA256

      82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908

    • SHA512

      cb1fbe8f36630915796d864c5a044177ea4ad881281ec454f932232fff99ce0524fb63becd96581a23cfe12bc455d55b613aaa389aa0a68fac97748400f473bd

    • SSDEEP

      1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJh:QA

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      LBB_ReflectiveDll_DllMain.dll

    • Size

      113KB

    • MD5

      ab5bdca69285d4838af12117c910bfde

    • SHA1

      208060cf988f1702124504bae0c6a4addbeb6db3

    • SHA256

      5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd

    • SHA512

      33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547

    • SSDEEP

      3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA

    • Renames multiple (173) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_Rundll32.dll

    • Size

      158KB

    • MD5

      0682f7cfceb51d4a6a213b9fe4159ad2

    • SHA1

      777833fdaf0c1e5d03dde300dba3947a9b65c656

    • SHA256

      00aa54bfab3963a2c006058e48cde42e299811f9b85acbc69406c5bfb331f789

    • SHA512

      72d79387ca0d9579d7a7bb7c6c729048bd1321fd07653cb7cbc9bedcc217fd18414b02b46f83843b3f90d0841fc61f24f0ef19700326d8a8aaf6366a00bc5113

    • SSDEEP

      3072:thKVNA/3U+Z15B5RPu+zYNkQA1Izqa26odDWtiSCC8lvdLW:thoyUyX5RPu+zY6+Wa26iDWsSCC8lvI

    Score
    3/10
    • Target

      LBB_Rundll32_pass.dll

    • Size

      154KB

    • MD5

      b51e42d419218e70b0ae216c3ac57784

    • SHA1

      f3023c627d1dce8d5ff4e6733af420df350fdda7

    • SHA256

      a98fb2671ae63d179c1cf39d163a4b3dbf769c9951a0ebad5d4c76244752253e

    • SHA512

      96fa388526984f3976ddb5f5376af88200e3d85bc41754556f9b00be32c81332d52aeb5b1e0387ce83be220f34199a88379aa9c90f679eb17ac10f9cf8714f37

    • SSDEEP

      3072:sUM/b6nriEhhyj26gWNOm18JcdwgqYUkSvVDjogUliww56T9tEtc:sUsmr7yX3Um18JcdwgqYUkCRjorqGTP

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      LBB_pass.exe

    • Size

      156KB

    • MD5

      0e38243dcb91851f0646140a16d6832d

    • SHA1

      d5a11399206c54ef1bd11945a5f6a0d721c4a6c9

    • SHA256

      635e9ca3baae7e32225f05d16159e339a297a4c1b749e5a8e81ffc8df3c5c37c

    • SHA512

      8198cf16b815c697e94b8b19b7555191189d6eba2e0bc2b5690277244dcf7da74907d95d8a10bb9bf43a23ae94e5fb57d062c00f947fe8558c9ef633bb066b0e

    • SSDEEP

      3072:iMvRBMY5u+t3YSs1C439/FgfDcTDnHNszfp0QoHkIgep3i8Skb4wE4Ab:ikBS+5YSsdLTH6zfQEupRUb

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      FC8E43EC21BE9047/lbg32.exe

    • Size

      60KB

    • MD5

      c5cc3c5cef6b382568a54f579b2965ff

    • SHA1

      e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b

    • SHA256

      48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5

    • SHA512

      74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb

    • SSDEEP

      1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      FC8E43EC21BE9047/lbg64.exe

    • Size

      49KB

    • MD5

      8ff61e4156c10b085e0c2233f24e8501

    • SHA1

      69d50a8efd73c619aa36113ec04368db83d9b331

    • SHA256

      3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a

    • SHA512

      dbde74b89d498d708215ddfdc9a2a38cb27be931c9fe2d5965aba3c31482a0efbe39913ed17eabe5eae3b5efc9cb369589784e7d9ce5b2e89505c10406038249

    • SSDEEP

      768:9pZt6fz03gUYxTSGCoTrxTjA+xqCkEiAOPZAzEZoo6Czcit6OjeB6:jpQRNSGCo64OxAgZUCcicvB6

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      1007BF65F80311D2/locker_ARM64

    • Size

      84KB

    • MD5

      e6aba198c3154facdaa8519f8104ebd8

    • SHA1

      ee6eae91568da7d71d0b3407c05d55b2e115c794

    • SHA256

      ae86f2041c473ffb061518973271bda302f99391c74d12f494596edf8989f787

    • SHA512

      63486d2ff59d8d9517f18e493f84c7bc81f483af3edcff2e62868cab1b00c31473f3beebb4985b6452932c5589e8da76c6a4c2b9f60efe6cd5f711b034b15566

    • SSDEEP

      1536:xlu2A/VyIZ6K1zcvsDxvc/I1vn1y0ONBoU+Vqnl4ARSX6DDididcHQ:Xuv/QIZP1rxz1vn0joDVqnagSX6DDi0D

    Score
    1/10
    • Target

      1007BF65F80311D2/locker_ARMV5

    • Size

      103KB

    • MD5

      516b79a3c994df308172aa67d353ff2f

    • SHA1

      e312f14bc1544e20af0cd41a3571a2cbe1ebe582

    • SHA256

      a60acd0adeccbe29ff8402db0e974eba25c9acf98a3af98940e518d465fb1bbe

    • SHA512

      b7a1a3e7ee64f8d0f538fdba5cc693134c475c4ce760cc4b314c26d1298794ff350eafd28a772f9da98332accb7a92674791d361bac0a17feb63e27bd4c84462

    • SSDEEP

      3072:0zmoAp+UN6YmA4pLCQJ91ToDVqNrPOzng:0zmbkUpmA4pFJ918DVqNrOzg

    Score
    8/10
    • Traces remote process

    • Checks system information (zLinux)

      Check system information on IBM zSystems which indicate if the system is a virtual machine.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      1007BF65F80311D2/locker_ARMV7

    • Size

      87KB

    • MD5

      89d3236f0129595a919cc70728b9316e

    • SHA1

      107f6e9ab0cb01247f2c5d65388dad8fb67d4804

    • SHA256

      cfc9ba36d03736d01a6208e0c9cc3cd7db29c1f8e531f53ae7dce812f19c08bb

    • SHA512

      ca23b1285131eacc437f44961e8bb71c52932f399a3aee35069ee2e490fc1cf8e53c0656701e938afb8930640447b0b8ecdb6885fe908a312a11ed29c8eb4466

    • SSDEEP

      1536:BcwSL24h5CJB/bfDZv3v+AToZTZ7rnCWz6J6nqPfBoU+Vq+Eauk2rVSx731fHBze:KFLr5CJBwHZTZaWuJt5oDVq+Eauk2rVN

    Score
    8/10
    • Traces remote process

    • Checks system information (zLinux)

      Check system information on IBM zSystems which indicate if the system is a virtual machine.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      1007BF65F80311D2/locker_FREEBSD_AMD64

    • Size

      89KB

    • MD5

      1eff6c83819f04149cf7a73a9ad56969

    • SHA1

      ae9d65a37ffaa4ee962df70c54978846c31b28f1

    • SHA256

      3df9493be5c112266ea3ea5a3499823939c259b40f3a7b37dabba8ee7159be0e

    • SHA512

      8178ca21a1f9d3e491604eea9b62b04bccddcc70ef1aa050be97aeed541065e99a01dd4dc3e221abbc6d8db3989e4a41276974d932f928cafbbeabce5274a35c

    • SSDEEP

      1536:8RkgM4sJraTrK1S0ybkU+tqR+Y5mzmdMzea5YT:AlsFKuS04kDtqRZ5mzMMzR

    Score
    1/10
    • Target

      1007BF65F80311D2/locker_LINUX_I386

    • Size

      104KB

    • MD5

      998bff093fbc351a35cd48ebc7ef74e8

    • SHA1

      518ae8806b471906bb1d8818f3fbce81d65a2dba

    • SHA256

      9aa74768de5b8320610a4031c07bcfb87c7b79767aa7886b640c946fbeb5f94f

    • SHA512

      94c88586194de5f64ccea764a889a4dde2aa85ddb7de76bbc187edd2ac2e3f530aa5bfd27cba23f71df2de2c89870ee18206760aa99fd1d200cf01b3181045ca

    • SSDEEP

      3072:cMsNzSDXSpjkKAs5z2NS/P8BRlzWe4JXhcXT30hJuMDtqRmUWPG:cMsFSDs7agWIe8XhcXTOuMDtqVW

    Score
    1/10
    • Target

      1007BF65F80311D2/locker_LINUX_X64

    • Size

      89KB

    • MD5

      194a218bb7c8593df0621789488f6907

    • SHA1

      89a60bc4e8b7c8188b8f3e96e799f2e455791f87

    • SHA256

      6c5252c6653d82e1ff9f57cc0dc98e6d6c7a8c3405ffc418c5b94cc7e47cf057

    • SHA512

      c9f32b7cdf3692a62a6e727148577bbdd753bac8df09f7c97075c50fd564ae780079ec3478e136c198027523b60767ab0d298ca01476361d299dc4eea9c0435b

    • SSDEEP

      1536:h23bmHSlAhb6eo1xrac08UGNnPnEsT9VxU+tqRAsemhgYBzvI:4rmHSlAhbx+K8UUnPEsBVxDtqR19gAI

    Score
    8/10
    • Traces remote process

    • Reads AppArmor ptrace settings

      Discovery of allowed ptrace capabilities by AppArmor.

    • Checks system information (zLinux)

      Check system information on IBM zSystems which indicate if the system is a virtual machine.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      1007BF65F80311D2/locker_MIPS

    • Size

      126KB

    • MD5

      9700dc992a950aa6e76d8d4de5ceff38

    • SHA1

      45dba47c0c0358627ae1a79463ed981017d30643

    • SHA256

      9c7ff1b686e05948de8d3e51dec88ff21b9b69418a10ba3e08de340f4503c064

    • SHA512

      68649687288f1dbe2e0dc202837579467eb2bc31e411d394431257fc5e3085db7283846741385e9d059bb11162bf53865e211a2d36fe8159125a377521ceff13

    • SSDEEP

      1536:SXzYBjV+P1NVt1dFMMaH6HULoecIJnvjK2WIAb92aUeX/ZbnBUZulb9S4AbIPLxQ:SXzKx/FLWI7kQ4/tnU04+jOoa

    Score
    8/10
    • Traces remote process

    • Checks system information (zLinux)

      Check system information on IBM zSystems which indicate if the system is a virtual machine.

MITRE ATT&CK Enterprise v15

Tasks

static1

lockbit
Score
10/10

behavioral1

Score
1/10

behavioral2

antivmdiscovery
Score
8/10

behavioral3

defense_evasiondiscoveryransomware
Score
9/10

behavioral4

defense_evasiondiscoveryransomware
Score
9/10

behavioral5

discoveryexecution
Score
5/10

behavioral6

defense_evasiondiscoveryexecutionransomware
Score
9/10

behavioral7

execution
Score
3/10

behavioral8

execution
Score
3/10

behavioral9

lockbitdiscoveryexecutionransomware
Score
10/10

behavioral10

lockbitdiscoveryexecutionransomware
Score
10/10

behavioral11

defense_evasiondiscoveryransomware
Score
9/10

behavioral12

defense_evasiondiscovery
Score
7/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

lockbitdiscoveryransomware
Score
10/10

behavioral16

lockbitdiscoveryransomware
Score
10/10

behavioral17

lockbitdiscoveryransomware
Score
10/10

behavioral18

lockbitdiscoveryransomware
Score
10/10

behavioral19

discoveryspywarestealer
Score
7/10

behavioral20

credential_accessdiscoveryspywarestealer
Score
7/10

behavioral21

credential_accessdiscoveryspywarestealer
Score
7/10

behavioral22

credential_accessdiscoveryspywarestealer
Score
7/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

antivmdiscovery
Score
8/10

behavioral28

antivmdiscovery
Score
8/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

antivmdiscovery
Score
8/10

behavioral32

antivmdiscovery
Score
8/10