Overview

overview

10

Static

static

3

890c0f1302...62.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    890c0f1302ed2c43e16f9350a9ea9ebd4962af919974218b3ad6baa70bc2a862

  • Size

    564KB

  • Sample

    250219-akansssmf1

  • MD5

    d9d926c61584f0fb2b1450587f6d997c

  • SHA1

    0cc6f80a83635bdf88bd9a68942c7baf651d1dd1

  • SHA256

    890c0f1302ed2c43e16f9350a9ea9ebd4962af919974218b3ad6baa70bc2a862

  • SHA512

    01eb40781cee4f5a23cf381f6b549561855a6cc60d331909fdcce7a406495fd3cca824947c7cf344f191fdafc46b505a60a82ec3ea153ab78f1684236a777b04

  • SSDEEP

    12288:KGNeZhH03k/WXK9RklFStC2rL+51nc9b+AK7pl2s:jNeX8kOI9aAK7pl2s

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFA29CAF0622EBA733 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA29CAF0622EBA733 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFA29CAF0622EBA733

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFA29CAF0622EBA733

Targets

    • Target

      890c0f1302ed2c43e16f9350a9ea9ebd4962af919974218b3ad6baa70bc2a862

    • Size

      564KB

    • MD5

      d9d926c61584f0fb2b1450587f6d997c

    • SHA1

      0cc6f80a83635bdf88bd9a68942c7baf651d1dd1

    • SHA256

      890c0f1302ed2c43e16f9350a9ea9ebd4962af919974218b3ad6baa70bc2a862

    • SHA512

      01eb40781cee4f5a23cf381f6b549561855a6cc60d331909fdcce7a406495fd3cca824947c7cf344f191fdafc46b505a60a82ec3ea153ab78f1684236a777b04

    • SSDEEP

      12288:KGNeZhH03k/WXK9RklFStC2rL+51nc9b+AK7pl2s:jNeX8kOI9aAK7pl2s

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (192) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks