General
-
Target
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.7z
-
Size
56KB
-
Sample
250413-wnmy7a1jv6
-
MD5
d19d012419b4e5f8230d9d68975f2d1b
-
SHA1
2cc3d062564c040afc9e876000f93e318ba46c6f
-
SHA256
850e2d113690b79d9c472aa8a38e8a2b56fb76a852a8657cfbc8f62debf05868
-
SHA512
1412c234c98e7f8814e2e15bfe54d99c5fb251c883eb9035a6c4d14019b92e8346407d3753a8054c0e5b3503848fb299e2c8c707ebd6be7cb882fbaedac9784b
-
SSDEEP
1536:MRSRlrfbxwBt4IipkEQi3JVk0RDl0rH1fUnWoRRYbgXPt:MRSmBtdipk4Vk0Rq1fUnWK+ul
Static task
static1
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.7z
Resource
win10v2004-20250314-en
Malware Config
Extracted
C:\Program Files\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86B8BC1C9031361683
Targets
-
-
Target
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.7z
-
Size
56KB
-
MD5
d19d012419b4e5f8230d9d68975f2d1b
-
SHA1
2cc3d062564c040afc9e876000f93e318ba46c6f
-
SHA256
850e2d113690b79d9c472aa8a38e8a2b56fb76a852a8657cfbc8f62debf05868
-
SHA512
1412c234c98e7f8814e2e15bfe54d99c5fb251c883eb9035a6c4d14019b92e8346407d3753a8054c0e5b3503848fb299e2c8c707ebd6be7cb882fbaedac9784b
-
SSDEEP
1536:MRSRlrfbxwBt4IipkEQi3JVk0RDl0rH1fUnWoRRYbgXPt:MRSmBtdipk4Vk0Rq1fUnWK+ul
-
Lockbit family
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (6459) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
4Clear Windows Event Logs
1File Deletion
3Modify Registry
1