General

  • Target

    https://gofile.io/d/0FkLDV

  • Sample

    250417-ksktvavls8

Malware Config

Extracted

Path

C:\4FuTnRXWk.README.txt

Ransom Note
All of your files are now encrypted you from now on have 1 week to pay the ransom else your files will stay locked for EVER :3 sooo ummm ur files are encrypted i think with something called my ransomware >.< ------------------------------------------------------------------- send me money i need money im broke $1000 > XMR: 49GpPj1UGZzJbzZhJ91ypdKVFhnwvaTnSB1BZSrvvXM3ipcsJ4jeo46g9y6o1deADsFj2GU1VnouF7Uu1nkXnCfjCkc5Vtp Decryption ID UwU: 27819054789075894207492074123905942076847204326243287608687564353695786876 Contact me on session ^w^ https://getsession.org/ ID: 055b6bc0f496645262ca9c0b04d7b116b7effa75b6f69646b4f5e24c2f4d342e32 ------------------------------------------------------------------- send me a message with ur decryption id and proof of payment and ill send u nudes maybe idk or ill if ur really lucky decrypt ur pc PUWO :3 1�z<
URLs

https://getsession.org/

Targets

    • Target

      https://gofile.io/d/0FkLDV

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (547) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks