Overview

overview

10

Static

static

3

2025-03-30...om.exe

windows7-x64

10

2025-03-30...om.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-30_21798cca59362fe9a8e8e372c3c9a364_black-basta_cobalt-strike_satacom.exe

  • Size

    533KB

  • MD5

    21798cca59362fe9a8e8e372c3c9a364

  • SHA1

    0149cac86d324e69ce96de65b96427501062381a

  • SHA256

    20a0c14423a568108c1490f4ddfcdb55453de54c36f141224ed1062b660278ba

  • SHA512

    7efaf4a00a91de65f18bb0bb607ab0720f2d9d640287f0a8649c6b09427e935ecb2b6fbdd25b2a7fa85d96d2f58772864abe63f88b81ca78670e35cb5d731188

  • SSDEEP

    12288:HdoutuQxK5fWYgeWYg955/155/8F9F7UooSUm98uhMmv:9tbxK5FvjU87

Score
10/10
lockbitransomware

Malware Config

Extracted

Path

C:\PerfLogs\How to decrypt my data.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free You can contact us in email or qtox. QTox ID Support: 3DF86B12634F4308F81C86251AF940D8F6492A074C8C6F2EFA0D134F024A6E54A324B1813AA0 Email Support: [email protected],[email protected] Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. >>>> Warning >>>> Warning >>>> Advertisement Would you like to earn millions of dollars $$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using QTox messenger without registration and SMS https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe. Using QTox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in Email or qtox. QTox ID Support: 3DF86B12634F4308F81C86251AF940D8F6492A074C8C6F2EFA0D134F024A6E54A324B1813AA0 Email Support: [email protected],[email protected]
URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Renames multiple (169) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_21798cca59362fe9a8e8e372c3c9a364_black-basta_cobalt-strike_satacom.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_21798cca59362fe9a8e8e372c3c9a364_black-basta_cobalt-strike_satacom.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    PID:2760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PerfLogs\How to decrypt my data.txt
    Filesize

    2KB

    MD5

    b34e19ffaa698afff3a49f29617ae1bc

    SHA1

    09fd9428e3bcfbdbcef4069d5693b96e2687a996

    SHA256

    083f3863a27f1f773f2b55485d6f3ecd6aa9c80916de865a268a0115b07df922

    SHA512

    cad3e6399e3d4a3990670ae7cd7bc0f9084bb4a27f70742c8efaea908f047048699771110d9adfeaa7dea36dde9bd90d5118df8e025dddc11505e9e30b38b955

    Download Submit