Resubmissions

11/04/2025, 11:21

250411-nf32faxps3 10

11/04/2025, 08:06

250411-jzhgmatnz4 10

General

  • Target

    829575dc1105f36047a6cde2be378239b46b7609556b366222b2a21d9d9ed9b8

  • Size

    65KB

  • Sample

    250411-nf32faxps3

  • MD5

    156d711b3f24d4e49ecc12c186d61a81

  • SHA1

    53d89b91bdab6de6ad385635f8e1c1a80579684f

  • SHA256

    829575dc1105f36047a6cde2be378239b46b7609556b366222b2a21d9d9ed9b8

  • SHA512

    f33280851ecc32ff87c08f32709b0351928f3055c0343b6ec6fad0b3bb95498ee09ca501b756234d50efecb156e1c210f1344a8092d60d82c8947e220fd257b6

  • SSDEEP

    768:7IWywdXxyb5lE6+F6U+nLONalh5BNnOk04rwFQ01aUa7se15MG7+9aW:sWywdhF8LssbOk0AwF1M5MGZ

Malware Config

Targets

    • Target

      829575dc1105f36047a6cde2be378239b46b7609556b366222b2a21d9d9ed9b8

    • Size

      65KB

    • MD5

      156d711b3f24d4e49ecc12c186d61a81

    • SHA1

      53d89b91bdab6de6ad385635f8e1c1a80579684f

    • SHA256

      829575dc1105f36047a6cde2be378239b46b7609556b366222b2a21d9d9ed9b8

    • SHA512

      f33280851ecc32ff87c08f32709b0351928f3055c0343b6ec6fad0b3bb95498ee09ca501b756234d50efecb156e1c210f1344a8092d60d82c8947e220fd257b6

    • SSDEEP

      768:7IWywdXxyb5lE6+F6U+nLONalh5BNnOk04rwFQ01aUa7se15MG7+9aW:sWywdhF8LssbOk0AwF1M5MGZ

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (699) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks