General
-
Target
https://gofile.io/d/0FkLDV
-
Sample
250417-ksktvavls8
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/0FkLDV
Resource
win11-20250410-en
30 signatures
900 seconds
Malware Config
Extracted
Path
C:\4FuTnRXWk.README.txt
Ransom Note
All of your files are now encrypted you from now on have 1 week to pay the ransom else your files will stay locked for EVER :3
sooo ummm ur files are encrypted i think with something called my ransomware >.<
-------------------------------------------------------------------
send me money i need money im broke
$1000 > XMR: 49GpPj1UGZzJbzZhJ91ypdKVFhnwvaTnSB1BZSrvvXM3ipcsJ4jeo46g9y6o1deADsFj2GU1VnouF7Uu1nkXnCfjCkc5Vtp
Decryption ID UwU: 27819054789075894207492074123905942076847204326243287608687564353695786876
Contact me on session ^w^ https://getsession.org/
ID: 055b6bc0f496645262ca9c0b04d7b116b7effa75b6f69646b4f5e24c2f4d342e32
-------------------------------------------------------------------
send me a message with ur decryption id and proof of payment and ill send u nudes maybe idk or ill if ur really lucky decrypt ur pc PUWO :3
1�z<
URLs
https://getsession.org/
Targets
-
-
Target
https://gofile.io/d/0FkLDV
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (547) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Defense Evasion
Indicator Removal
1File Deletion
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1