Overview

overview

10

Static

static

3

c6e5a9f39b...78.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c6e5a9f39bfc6dc46c2eb7a786948e9d111ddbec5e157c8081f7c22b7d6b3c78.zip

  • Size

    168KB

  • Sample

    250110-pw7v1awqhr

  • MD5

    7cd7674bcc4460deea815b10127e8e14

  • SHA1

    72c88131f1160190fb0311c3d5ce7b1300c860c5

  • SHA256

    192a20e5740cf683ec11f991532c652085502809370987ce5cd37aab99034fa9

  • SHA512

    a758c19abf5af4c048e6eb802e4d1cfe8de4f9d92c2f3d744a0ea5550489a4af65fec3c0d15af7a4ec39a79e13af1e8f22c32c367be5e6d55299381498271bc0

  • SSDEEP

    3072:4zZfVx5N/yiQMbWOQpw3gjktELtbQEtZk/hn350KfiDXzcVpJpd8W4h4PvaEX:4zvN/nJbWbEmiLEEhp0KaDXzkJpdD4mr

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?ADDD79899D34FB74A394C324F60B676E | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?ADDD79899D34FB74A394C324F60B676E This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?ADDD79899D34FB74A394C324F60B676E

http://lockbitks2tvnmwk.onion/?ADDD79899D34FB74A394C324F60B676E

Targets

    • Target

      c6e5a9f39bfc6dc46c2eb7a786948e9d111ddbec5e157c8081f7c22b7d6b3c78.exe

    • Size

      247KB

    • MD5

      81d9cac2627d252af11b3ced0f2928d8

    • SHA1

      1d19670a5eb9ba2399bcb9a967fad24cd75b1f2a

    • SHA256

      c6e5a9f39bfc6dc46c2eb7a786948e9d111ddbec5e157c8081f7c22b7d6b3c78

    • SHA512

      6b210647985289a2f8bd4c240013617d9e68834a171bff39b4f03982df2253d2ab43bfd3770af9129f956756dd0ff491f067c6d7ab6f371622d3a2f51968a8de

    • SSDEEP

      3072:J1rxNteUB+mcyAdSnsMObgqyoGGeV1EZyOdBDT0ynl0Xp8K7:J1rxN5B6mBugqafEpBDT0ylQp

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (4054) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks