General

  • Target

    0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.7z

  • Size

    56KB

  • Sample

    250413-wqfb5a1jy4

  • MD5

    d19d012419b4e5f8230d9d68975f2d1b

  • SHA1

    2cc3d062564c040afc9e876000f93e318ba46c6f

  • SHA256

    850e2d113690b79d9c472aa8a38e8a2b56fb76a852a8657cfbc8f62debf05868

  • SHA512

    1412c234c98e7f8814e2e15bfe54d99c5fb251c883eb9035a6c4d14019b92e8346407d3753a8054c0e5b3503848fb299e2c8c707ebd6be7cb882fbaedac9784b

  • SSDEEP

    1536:MRSRlrfbxwBt4IipkEQi3JVk0RDl0rH1fUnWoRRYbgXPt:MRSmBtdipk4Vk0Rq1fUnWK+ul

Malware Config

Extracted

Path

C:\Program Files\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BCD2955F032AC3E6 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BCD2955F032AC3E6

Targets

    • Target

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe

    • Size

      151KB

    • MD5

      1fbef2a9007eb0e32fb586e0fca3f0e7

    • SHA1

      3e86304198d1185a36834e59147fc767315d8678

    • SHA256

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • SHA512

      94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

    • SSDEEP

      3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (6456) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks