Overview

overview

10

Static

static

10

0f178bc093...35.exe

windows7-x64

10

0f178bc093...35.exe

windows10-2004-x64

10

1b109db549...18.exe

windows7-x64

10

1b109db549...18.exe

windows10-2004-x64

10

1dbe9f9565...92.exe

windows7-x64

10

1dbe9f9565...92.exe

windows10-2004-x64

10

1e3bf358c7...70.exe

windows7-x64

10

1e3bf358c7...70.exe

windows10-2004-x64

10

26b6a9fecf...39.exe

windows7-x64

10

26b6a9fecf...39.exe

windows10-2004-x64

10

286bffaa9c...3f.exe

windows7-x64

10

286bffaa9c...3f.exe

windows10-2004-x64

10

410c884d88...77.exe

windows7-x64

10

410c884d88...77.exe

windows10-2004-x64

10

5072678821...db.exe

windows7-x64

10

5072678821...db.exe

windows10-2004-x64

10

69d9dd7fdd...97.exe

windows7-x64

10

69d9dd7fdd...97.exe

windows10-2004-x64

10

76a77def28...78.exe

windows7-x64

10

76a77def28...78.exe

windows10-2004-x64

10

91d1ab6c30...31.exe

windows7-x64

10

91d1ab6c30...31.exe

windows10-2004-x64

10

ca57455fd1...75.exe

windows7-x64

10

ca57455fd1...75.exe

windows10-2004-x64

10

e3f236e4ae...77.exe

windows7-x64

10

e3f236e4ae...77.exe

windows10-2004-x64

10

faa3453ceb...69.exe

windows7-x64

10

faa3453ceb...69.exe

windows10-2004-x64

10

ffbb6c4d8d...4d.exe

windows7-x64

10

ffbb6c4d8d...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2024 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe

  • Size

    146KB

  • MD5

    388eafffcc96c71c317cf0908d3a133b

  • SHA1

    16e5c5a81a88cb73464d92edf5bec7199907afb9

  • SHA256

    91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

  • SHA512

    6ee2fbfdab206b2f79d423f3b26a5f8033051ab4d10596c530e381b714dcc8854a4eaf57abd02029ab2d33fdd59b2f1f9c2cdc7702442ee700a43a2411af9515

  • SSDEEP

    3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVc:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMc

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?A94ED07AA2CAF6C8B6D98960B8DF9958 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8B6D98960B8DF9958 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?A94ED07AA2CAF6C8B6D98960B8DF9958

http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8B6D98960B8DF9958

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?A94ED07AA2CAF6C8B6D98960B8DF9958 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8B6D98960B8DF9958 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?A94ED07AA2CAF6C8B6D98960B8DF9958

http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8B6D98960B8DF9958

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (9341) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
    "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2700
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:696
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1368
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:868
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:3900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3928
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4020
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2556
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1272
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2180
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1484

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt
        Filesize

        1KB

        MD5

        0bf933a8bc8508e5fac23c5c4bd842f9

        SHA1

        07deda6a832b5bd805425e1e7defff03c9492ad2

        SHA256

        26761c8f3a400879690ce506aa1c8145ef1c25cbc33dbfe5262bf10753ce5671

        SHA512

        37aac207f8faadf92ac3633ed7ba3831fca06daecab71f3fae77b3c2e995f62283aa3ddeac0841cc313324c1fa47142241cc293bd409313dda3b0cfba6ef76c2

        Download Submit

      • C:\Users\Admin\Desktop\LockBit-note.hta
        Filesize

        17KB

        MD5

        b38266397a569cce683ff068a215f396

        SHA1

        72b16a4d4224c646ff1a690760c3d3cc3ba6ea24

        SHA256

        a6f84336890135d0693160e198e5b5161975988817cd34b7e3462e48f95007d7

        SHA512

        874fc190a5a03539ecf4dba2abc204175700a7b9ab65949e21f6afd374a992a6b14d1071538afe6c8409d0bf4325ad594310a8f29bf45e78a8f75a34b01748f8

        Download Submit