Overview

overview

10

Static

static

10

0f178bc093...35.exe

windows7-x64

10

0f178bc093...35.exe

windows10-2004-x64

10

1b109db549...18.exe

windows7-x64

10

1b109db549...18.exe

windows10-2004-x64

10

1dbe9f9565...92.exe

windows7-x64

10

1dbe9f9565...92.exe

windows10-2004-x64

10

1e3bf358c7...70.exe

windows7-x64

10

1e3bf358c7...70.exe

windows10-2004-x64

10

26b6a9fecf...39.exe

windows7-x64

10

26b6a9fecf...39.exe

windows10-2004-x64

10

286bffaa9c...3f.exe

windows7-x64

10

286bffaa9c...3f.exe

windows10-2004-x64

10

410c884d88...77.exe

windows7-x64

10

410c884d88...77.exe

windows10-2004-x64

10

5072678821...db.exe

windows7-x64

10

5072678821...db.exe

windows10-2004-x64

10

69d9dd7fdd...97.exe

windows7-x64

10

69d9dd7fdd...97.exe

windows10-2004-x64

10

76a77def28...78.exe

windows7-x64

10

76a77def28...78.exe

windows10-2004-x64

10

91d1ab6c30...31.exe

windows7-x64

10

91d1ab6c30...31.exe

windows10-2004-x64

10

ca57455fd1...75.exe

windows7-x64

10

ca57455fd1...75.exe

windows10-2004-x64

10

e3f236e4ae...77.exe

windows7-x64

10

e3f236e4ae...77.exe

windows10-2004-x64

10

faa3453ceb...69.exe

windows7-x64

10

faa3453ceb...69.exe

windows10-2004-x64

10

ffbb6c4d8d...4d.exe

windows7-x64

10

ffbb6c4d8d...4d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_d63224f2076b5cdb010e31dd408b07218381fd21939f8bd3b4aa8f5c03f6a702

  • Size

    2.5MB

  • Sample

    241228-3nvglawjdl

  • MD5

    de6c6b3143f6d911c84e3a328854d98f

  • SHA1

    902d930733dd950bb376cf46511489b6c82401d6

  • SHA256

    d63224f2076b5cdb010e31dd408b07218381fd21939f8bd3b4aa8f5c03f6a702

  • SHA512

    e87239cb4e2b79152baded43758adcb0cf980e32b11455b9072ce4059f4a4bf67b926631e67789a97ecb8ef917c7bc5f51f3cd16b41488724c4531890ae58a2a

  • SSDEEP

    49152:si4J5Oovif8jmqjm8H2zDNl9ooITRJQg262UHrSG97597tjm8DBB/bBn7lQK:e8ovif8j3jMDNvJCSVWXj7TBnD

Score
10/10
lockbitneshtacryptonedefense_evasiondiscoveryevasionexecutionimpactpackerpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86C222C51750A0295C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86C222C51750A0295C

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DDB155C0F02FEBC3A This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DDB155C0F02FEBC3A

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D599D0170E620EAB47D This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D599D0170E620EAB47D

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D59C7159D4B42C6D6C4 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D59C7159D4B42C6D6C4

Extracted

Path

C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?AAE804B63F2D44F79EB942613F1DCC1D This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbitks2tvnmwk.onion/?AAE804B63F2D44F79EB942613F1DCC1D

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?AAE804B63F2D44F7B32AF2F59F728963 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbitks2tvnmwk.onion/?AAE804B63F2D44F7B32AF2F59F728963

Extracted

Path

C:\Program Files\DVD Maker\fr-FR\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DDF4525CBD70CDE0E This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DDF4525CBD70CDE0E

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DB8D1C36CDE5253DD This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DB8D1C36CDE5253DD

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?828C57864CBB23B6A07ACAC52F99039B This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?828C57864CBB23B6A07ACAC52F99039B

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?828C57864CBB23B6C1A08177D6E22203 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?828C57864CBB23B6C1A08177D6E22203

Targets

    • Target

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • Size

      151KB

    • MD5

      1fbef2a9007eb0e32fb586e0fca3f0e7

    • SHA1

      3e86304198d1185a36834e59147fc767315d8678

    • SHA256

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • SHA512

      94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

    • SSDEEP

      3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9352) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

    • Size

      150KB

    • MD5

      1f4f6abfced4c347ba951a04c8d86982

    • SHA1

      a4c486b0926f55e99d12f749135612602cc4bf64

    • SHA256

      1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

    • SHA512

      ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3

    • SSDEEP

      3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (8231) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592

    • Size

      316KB

    • MD5

      4de69c226426a742a17ade81cde8d1f9

    • SHA1

      ea10e601a2fb81362687421bc0b8f9d6238d7dfa

    • SHA256

      1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592

    • SHA512

      26cab9c626d2d2332942808d1d71f0f8f114d1b8a6e1f3d760850a065a4856c1c2ba9c896be0353457c684f4251357a3bd641dc7547940651cc70fb9050a4c6a

    • SSDEEP

      6144:DpeR+KBiFmRCPxGiVpAPtL4Kc/4rj8IydT3tm5zDy:DponOmMPNV1/4rj8IydTdj

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9356) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770

    • Size

      67KB

    • MD5

      9fe9f4ee717bae3a5c9fdf1d380e015d

    • SHA1

      7df22f2fbe86a07070f262f94e233860b6ae66b2

    • SHA256

      1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770

    • SHA512

      546deacbdcfb91a01895fef3a4775f2542642cb20999c5936f50715f173db327c9a8fa5dade93e6fa5cfdc9db3b12238ce20dc7dc41fe9874453e1bf4621224a

    • SSDEEP

      1536:e/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwC:e/qJMq5uJupjSQ2+1ctgY5bjpp

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareupx

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9376) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739

    • Size

      150KB

    • MD5

      207718c939673a5f674ce51f402cfc06

    • SHA1

      791f60a24f9b6589a2afed48b3ec17fad43bc1db

    • SHA256

      26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739

    • SHA512

      61a00f0da602100ca4913e94720f873ef682b793e246d9e7e119c9947c102e2888be64cee72e851ef3d24fbbd671cbe70af162f10049e8ef75b475b4a032e701

    • SSDEEP

      3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (6461) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f

    • Size

      765KB

    • MD5

      5cc28691fdaa505b8f453e3500e3d690

    • SHA1

      cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02

    • SHA256

      286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f

    • SHA512

      0c4eb6a067456c91af908a4c2f77e84a80ba8d77682ba00b06a56af4062e2caf68cb7e63ef7500ae13a1bfa9a2062d838ecbc9aa418daf7faa9b0083f788d847

    • SSDEEP

      12288:A1kx1gjdatSK411nhuGvv6DuQ4yPcFy62eaFsvXPAVVRSPq2hvP:A1kfoatSK41dhuGvQgy6GWQxSvX

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (7518) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677

    • Size

      150KB

    • MD5

      ec273b5841eadfc43b1908c9905e95a3

    • SHA1

      71e7990c8c81ef6c4e265eae11030886c40cc8b0

    • SHA256

      410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677

    • SHA512

      164875eb5d8ff791fae4baa2a83d957cbe8fc7a6eaf1ffd3f93162ee21c52d01db80e0df17e1162991e380331b4098759f771c96a84374834603b6296c2b633d

    • SSDEEP

      3072:LmB81yVWHb1eIifPpZyiGUH6pGxfF6hH0hMqqD/A6zHv/:Lc8sVWOmyaWeqqD///

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (8709) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db

    • Size

      546KB

    • MD5

      8ab0375228416b89becff72a0ae40654

    • SHA1

      75f06b636efe53360287c0ff1f51ea7de1e7c8b5

    • SHA256

      5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db

    • SHA512

      c9f500f347b3b35beeecc1b7ab9fda273a149376d488f68eb456a5625e9c5bf541d85ddbdd7c127c9d92406d9ea9e7d15aae9d4d4c518bce926a55bf1b106277

    • SSDEEP

      12288:+SEQeJEf0D+DKSu2eyFS5QBjzLHbhlCKCyTHxTwztt0v93aOy1032Du4IafBEqJX:+gC8bbE0wFH

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9209) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997

    • Size

      150KB

    • MD5

      49250b4aa060299f0c8f67349c942d1c

    • SHA1

      4d0e6d7af9a5edece5273f3c312fdd3b9c229409

    • SHA256

      69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997

    • SHA512

      289c4277e945b1f30d07c699ebc7cf332835433e0d9f393120a6e208e1e7906133d6405665b676a8d3abccf5dbac58789f1f9372b892b36c42cd628d2638e6c3

    • SSDEEP

      3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9312) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78

    • Size

      343KB

    • MD5

      9a246bf39f3fab9c2d45f1003bdc6b45

    • SHA1

      f05e71ed0e4a779fc30c3d732b07e15d56f8e3bc

    • SHA256

      76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78

    • SHA512

      fe0fba6970c2e08ddfcfc867644bce49e8d609f1b98aa638f7dd88dac84c71da164ad7fbbd13469504407e82282618e71bc31fb3d57e5d1df906bfb2a1b0addf

    • SSDEEP

      6144:XRgAYEzNetKh0FtASkJuTXHJdprdf9SDborKA/26m5:BgdSNqKGYDujDpJlSDEGA/A

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareupx

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (8763) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

    • Target

      91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

    • Size

      146KB

    • MD5

      388eafffcc96c71c317cf0908d3a133b

    • SHA1

      16e5c5a81a88cb73464d92edf5bec7199907afb9

    • SHA256

      91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

    • SHA512

      6ee2fbfdab206b2f79d423f3b26a5f8033051ab4d10596c530e381b714dcc8854a4eaf57abd02029ab2d33fdd59b2f1f9c2cdc7702442ee700a43a2411af9515

    • SSDEEP

      3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVc:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMc

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9341) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

    • Size

      546KB

    • MD5

      e4179bca5bf5b1fd51172d629f5521f8

    • SHA1

      488e532e55100da68eaeee30ba342cc05810e296

    • SHA256

      ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

    • SHA512

      9370d3a2b8d118de6396909b0ca3c1e62e374020ddb0c8a94713f0b596391f20008797509abf300f2241327fe1bfa3338623a56b9be55bd013b6b56e26430035

    • SSDEEP

      12288:eE+eJEf0D+DKSu2eyFS5QBjzLHbhlCKCyTHxTwztt0v93aOy1032Du4IafBEqJX:KC8bbE0wFH

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9289) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

    • Size

      151KB

    • MD5

      123511227718f17b3dec5431d5ae87f3

    • SHA1

      307088ae7027b55541311fd70a9337ff3709fccf

    • SHA256

      e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

    • SHA512

      182a45c60c0c14d55e40c7941836d7d658623a66ce7760eb71d8836ffa7974a0d1d3132b919fad921abecc9215ce458f06e563417c70682a9935a02d8053b234

    • SSDEEP

      3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9332) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

    • Size

      762KB

    • MD5

      a04a99d946fb08b2f65ba664ad7faebd

    • SHA1

      1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1

    • SHA256

      faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

    • SHA512

      1afde06049a7132e552681a71f74fbb09ac5b26e05c0570af95de0ce4484eb647f2afb781c0683fdba6cb37daacf1c6be690b5208df477158a4d8d45e4c2e374

    • SSDEEP

      12288:S1kx1gjdatSK411nhuGvv6DuQ4yPcFy62eaFsvXPAVVRSPq2hv:S1kfoatSK41dhuGvQgy6GWQxSv

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (7444) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

    • Target

      ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

    • Size

      191KB

    • MD5

      0859a78bb06a77e7c6758276eafbefd9

    • SHA1

      a72e18efa33f1e3438dbb4451c335d487cbd4082

    • SHA256

      ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

    • SHA512

      49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d

    • SSDEEP

      3072:sr85CNR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/3Q1m3/OyVPX/1jTCA:k93OyysNmJyXsqqD/ls/32q/1VPn

    Score
    10/10
    lockbitneshtadefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

    • Detect Neshta payload

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (8472) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral29behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks

static1

cryptonepackerupxneshta
Score
10/10

behavioral1

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral2

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral3

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral4

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral5

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral6

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral7

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareupx
Score
10/10

behavioral8

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareupx
Score
10/10

behavioral9

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral10

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral11

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral12

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral13

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral14

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral15

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral16

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral17

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral18

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral19

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareupx
Score
10/10

behavioral20

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareupx
Score
10/10

behavioral21

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral22

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral23

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral24

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral25

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral26

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral27

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral28

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral29

lockbitneshtadefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral30

lockbitneshtadefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10