Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 13:30

General

  • Target

    lb777.exe

  • Size

    372KB

  • MD5

    6c5dcbdf374073249f3477d0fd439039

  • SHA1

    ed2165fe0e5ed5c608230f6c125713d2a0934c28

  • SHA256

    bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b

  • SHA512

    d75b96e95f6972013c41c99cb54e892ee7f7ee54e996465d0ef2f2d21ba9941869b7b06c49bbdcf36814f19ef0105475aea99c3f49098a5f44bcb810bbf21c0f

  • SSDEEP

    6144:MLKewcnJHLFaz1ZXmkjr7ZVyf9Mcfj0bGGCM:Dfwh6ZXmk/fcfo

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\en-US\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFA1B10A684BA904FC

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA1B10A684BA904FC

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Lockbit family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (9348) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\lb777.exe
    "C:\Users\Admin\AppData\Local\Temp\lb777.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2916
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2524
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2312
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2544
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\lb777.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\lb777.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:284
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\lb777.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2300
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2720
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:804
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2652
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\DVD Maker\en-US\Restore-My-Files.txt

        Filesize

        1KB

        MD5

        5361ce2e85bfdc0fbffd027507bc7859

        SHA1

        e9b43d0b54ca5c2df0b4537dedb8c3ea77bec944

        SHA256

        ccfdc0b0b366ba4d5aaad832e6e8946496585016e641318965d859f2a8922b34

        SHA512

        a25a8fc61b00e61f3e458d479e7d4678c9ac9fa1e04c43a53b33f7405b41ed71bafd3c3653b3ebe619d3a82d8d79095203e691e0bc27fce6ae6aa2c0757f995a

      • C:\Users\Admin\Desktop\LockBit-note.hta

        Filesize

        17KB

        MD5

        6f9798637fb94548ab985e3a3a6fc31f

        SHA1

        0a2ff14bfa96e76b159b2411c5ed18fe76f278cb

        SHA256

        bf3c38617fd0b5b5cec72efba4f1371aaad7c24c47e942eaea326567e5af9dc4

        SHA512

        5701ad55b2e3e36cc8b0b65d68b88140fc3286cc34ed0c4ffbd6adeae4290afea8cbe605d3ae0aac25ee98f40458d30bab017d7d27ab783fef7fad2c991b7082

      • memory/2692-0-0x0000000000020000-0x0000000000036000-memory.dmp

        Filesize

        88KB

      • memory/2692-1-0x0000000000220000-0x0000000000246000-memory.dmp

        Filesize

        152KB

      • memory/2692-2-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/2692-4122-0x0000000000020000-0x0000000000036000-memory.dmp

        Filesize

        88KB

      • memory/2692-4121-0x0000000000400000-0x00000000004F0000-memory.dmp

        Filesize

        960KB

      • memory/2692-4799-0x0000000000220000-0x0000000000246000-memory.dmp

        Filesize

        152KB

      • memory/2692-5718-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/2692-10294-0x0000000000400000-0x00000000004F0000-memory.dmp

        Filesize

        960KB

      • memory/2692-10295-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB