Edit tour
Windows
Analysis Report
yEB1xvr2rZ.exe
Overview
General Information
Sample name: | yEB1xvr2rZ.exerenamed because original name is a hash value |
Original sample name: | 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe |
Analysis ID: | 1447455 |
MD5: | 7e488e4928dd33d8aaf738da2baaba46 |
SHA1: | 6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e |
SHA256: | 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529 |
Tags: | exelockbit |
Infos: | |
Detection
LockBit ransomware
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Deletes itself after installation
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- yEB1xvr2rZ.exe (PID: 6980 cmdline:
"C:\Users\ user\Deskt op\yEB1xvr 2rZ.exe" MD5: 7E488E4928DD33D8AAF738DA2BAABA46) - 9BAE.tmp (PID: 4588 cmdline:
"C:\Progra mData\9BAE .tmp" MD5: 294E9F64CB1642DD89229FFF0592856B) - cmd.exe (PID: 1508 cmdline:
"C:\Window s\System32 \cmd.exe" /C DEL /F /Q C:\PROG RA~3\9BAE. tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "\r\n~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~\r\n\r\n>>>>> Your data is stolen and encrypted.\r\n\r\nBLOG Tor Browser Links:\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What guarantee is there that we won't cheat you? \r\nWe are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live\r\n \r\n>>>>> You need to contact us on TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you (available during a ddos attack): \r\nhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion\r\n\r\nTor Browser Links for CHAT (sometimes unavailable due to ddos attacks):\r\nhttp://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion\r\nhttp://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion\r\nhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion\r\nhttp://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion\r\nhttp://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion\r\nhttp://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion\r\nhttp://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>> Your personal Black ID: ED45A38511580A646D8B6D41359938A6 <<\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. "}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Windows_Ransomware_Lockbit_369e1e94 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Click to see the 30 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Windows_Ransomware_Lockbit_369e1e94 | unknown | unknown |
| |
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Windows_Ransomware_Lockbit_369e1e94 | unknown | unknown |
| |
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Windows_Ransomware_Lockbit_369e1e94 | unknown | unknown |
|
System Summary |
---|
Source: | Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |