Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 04:58

General

  • Target

    lb777.exe

  • Size

    231KB

  • MD5

    fe49d7d1ebd25845774acc939b6aad3b

  • SHA1

    28c7959a129cb4549985ba4cea38993e92cbe478

  • SHA256

    a39ffdc433fc726128c22452dd70b8b3407cc9db02a90307b937e8ab4a3aae97

  • SHA512

    f5fa1dcc51639e1230620665c5466adefd85ef95570793a0464857fde496acd3d0bddb88436fb034dea33d05142687e6fdf3f4015e43687779ffc14e0db97384

  • SSDEEP

    3072:f6/mwNj47XTyfvWyeBukAHm+cjCbhMsGjxPUC87vazsf3salBZdDmeVsPH:SbeTTyfvphBPcjCbGsGqC87rtbQTf

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2AD | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2AD This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2AD

http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2AD

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link -http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2ADFollow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it.Open link in Tor Browser -http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2ADThis link only works in Tor Browser!Follow the instructions on this pageLockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the siteDo not rename encrypted files.Do not try to decrypt using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our).Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.Tor Browser user manualhttps://tb-manual.torproject.org/about

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Lockbit family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (9324) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\lb777.exe
    "C:\Users\Admin\AppData\Local\Temp\lb777.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:892
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:612
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2116
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2944
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2716
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\lb777.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\lb777.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2536
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\lb777.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1532
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2432
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2928
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:200
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2100

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

        Filesize

        1KB

        MD5

        235d551c00fb6625e502d5416656c996

        SHA1

        aa1b3832ec8bee9472d9deb90b4c8a3e612a5c4c

        SHA256

        490c931e873034c2edb31139d011bb55be191b4c388d22a7b7a6741155411fdf

        SHA512

        0d146f0b0a6acdae9e8656fff3340fd38d76cd607ea462bef7a5b424ba883b394eac1c4ce8dc5e21f556af8638d93b5aa554d224630ddd48e755cd5710f51dd4

      • C:\Users\Admin\Desktop\LockBit-note.hta

        Filesize

        14KB

        MD5

        caed202fd3550cce812e6f5e1909a005

        SHA1

        22f57efaaaf69d60912203c3ceb2f34b067179e2

        SHA256

        c8e86f78c32eec8e04f82bd5bc1cc315a54824e27fe8ab2730dc51f8a8e579a0

        SHA512

        50a57f17cfa5b16ae6eec24cc1f48148120de7512b202753c42bafc072028c333f6edafb4932aaeab6be858973cdbd12ba37e6e40fb06b59a9c3af3e282f1f77

      • memory/3012-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

      • memory/3012-2-0x00000000001B0000-0x00000000001D6000-memory.dmp

        Filesize

        152KB

      • memory/3012-3-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/3012-3688-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

      • memory/3012-4756-0x00000000001B0000-0x00000000001D6000-memory.dmp

        Filesize

        152KB

      • memory/3012-5267-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/3012-5216-0x0000000000400000-0x0000000003328000-memory.dmp

        Filesize

        47.2MB

      • memory/3012-10315-0x0000000000400000-0x0000000003328000-memory.dmp

        Filesize

        47.2MB

      • memory/3012-10323-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/3012-10322-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB