General
-
Target
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.7z
-
Size
56KB
-
Sample
250413-wqfb5a1jy4
-
MD5
d19d012419b4e5f8230d9d68975f2d1b
-
SHA1
2cc3d062564c040afc9e876000f93e318ba46c6f
-
SHA256
850e2d113690b79d9c472aa8a38e8a2b56fb76a852a8657cfbc8f62debf05868
-
SHA512
1412c234c98e7f8814e2e15bfe54d99c5fb251c883eb9035a6c4d14019b92e8346407d3753a8054c0e5b3503848fb299e2c8c707ebd6be7cb882fbaedac9784b
-
SSDEEP
1536:MRSRlrfbxwBt4IipkEQi3JVk0RDl0rH1fUnWoRRYbgXPt:MRSmBtdipk4Vk0Rq1fUnWK+ul
Static task
static1
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win10v2004-20250410-en
Malware Config
Extracted
C:\Program Files\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BCD2955F032AC3E6
Targets
-
-
Target
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
-
Size
151KB
-
MD5
1fbef2a9007eb0e32fb586e0fca3f0e7
-
SHA1
3e86304198d1185a36834e59147fc767315d8678
-
SHA256
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
-
SHA512
94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0
-
SSDEEP
3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//
-
Lockbit family
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (6456) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
4Clear Windows Event Logs
1File Deletion
3Modify Registry
1