lockbit

General

Target

fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.7z
Size

256KB
Sample

250401-x9rpyavwhw
MD5

7d6db8f098e3a5c137aba2249452e892
SHA1

b8e8a5971b8eed6155523292e419f98402be5e40
SHA256

ee066e4909721c85acbb612000e2a0268ae14d2f6533e0e9d2721587083a1bec
SHA512

7d3233f456c393ffe806f942f0414688939ba273c841d247d17303205b378224d4a3eaafb2a3bc6d8d4ee61adebaf20565b6786c2fc3d628ca6ce0b7dba4c677
SSDEEP

6144:MGwLWkYQbAfM1Ui4aYtL7BxW13A40a8om9QSUHjrXd+:M5/YO1Ui4HvI3cFoUQSa3Xk

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Crashpad\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: ED5B850F872B466792548A086B44C0D8

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

- Target
  
  fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94
- Size
  
  959KB
- MD5
  
  93f3b3b991eede9d563dc18490f4b4e6
- SHA1
  
  357afd5cdd05130c7e381d24c48e3dbcb2ec0b53
- SHA256
  
  fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94
- SHA512
  
  46114f12a6a2f42c718b734489341f882fd13060d35d8824161c65c2460a5064b03c7d58dc818ca0817311f534dfefc84c3381d571a8a5601493b94eb724303c
- SSDEEP
  
  24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdgF:Ujrc2So1Ff+B3k796W
Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1