General

  • Target

    SecuriteInfo.com.Win64.MalwareX-gen.22561.9089.exe

  • Size

    996KB

  • Sample

    250422-kfd6jatpy6

  • MD5

    7a84f2668e2be8670c8f9bc4cbe053bb

  • SHA1

    0643693ca7e813538fde9f99fb9a190d093f662d

  • SHA256

    9a007e70a934bc617f93d4c2ea08f2b7c6238562529bc90d89c990bd7d2983c4

  • SHA512

    a298ab87c98cf7d151bfdd43a7194ae44d5c648fc21f8c21941e8ca6097defe2f10bfc918710b10cdb696531d14fb882cf42540651e79473568d037c70c35774

  • SSDEEP

    24576:iVoX38bcWaK10TflaolhlxhX6F/FhlxhX6F/k:iKXMoWV1qao/B6ZB62

Malware Config

Extracted

Path

C:\JaGl8xLNG.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom you need to transfer 1 monero to this account otherwise your files will be deleted forever:87UysM3HKs8K5MqEwXGnSBAECCUMhf6voZQBUJivYcfYCjbKB8iMexrGrAKFd1Nqqp36eusTSvfuxKiXrUWBtqZt2PtqDmp I am a private entrepreneur who uses other people's things. To contact me, write to me at tox:643AEA81DD7E8022CB560BD12B72BF62D93668E05659A2CB23A2F9888FDCBF77E8CB1169D117 >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Targets

    • Target

      SecuriteInfo.com.Win64.MalwareX-gen.22561.9089.exe

    • Size

      996KB

    • MD5

      7a84f2668e2be8670c8f9bc4cbe053bb

    • SHA1

      0643693ca7e813538fde9f99fb9a190d093f662d

    • SHA256

      9a007e70a934bc617f93d4c2ea08f2b7c6238562529bc90d89c990bd7d2983c4

    • SHA512

      a298ab87c98cf7d151bfdd43a7194ae44d5c648fc21f8c21941e8ca6097defe2f10bfc918710b10cdb696531d14fb882cf42540651e79473568d037c70c35774

    • SSDEEP

      24576:iVoX38bcWaK10TflaolhlxhX6F/FhlxhX6F/k:iKXMoWV1qao/B6ZB62

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Renames multiple (637) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks