Edit tour
Windows
Analysis Report
IUccGQLWI0.ps1
Overview
General Information
Sample name: | IUccGQLWI0.ps1renamed because original name is a hash value |
Original sample name: | 36f48ef3776c01d63a2fd594d52dfb7402ea634162fd079b0d942367a2fbed56.ps1 |
Analysis ID: | 1579866 |
MD5: | 8015d634e9e5fd003885700bca4723d8 |
SHA1: | ac4217259c16aefbec8c32024c66d74f99ceb48b |
SHA256: | 36f48ef3776c01d63a2fd594d52dfb7402ea634162fd079b0d942367a2fbed56 |
Tags: | lockbitlockbit40powershellps1ransomwareuser-TheRavenFile |
Infos: | |
Detection
LockBit ransomware, Metasploit
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Found post-exploitation toolkit Empire
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- powershell.exe (PID: 4136 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\IUc cGQLWI0.ps 1" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3228 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -ex bypass -nonI C:\ Users\user \Desktop\I UccGQLWI0. ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - splwow64.exe (PID: 7668 cmdline:
C:\Windows \splwow64. exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73) - 339E.tmp (PID: 8164 cmdline:
"C:\Progra mData\339E .tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
- ONENOTE.EXE (PID: 8180 cmdline:
/insertdoc "C:\Users \user\AppD ata\Local\ Microsoft\ Windows\IN etCache\{9 9BD1B98-4E F0-4608-B9 5D-29BBEDC A41A1}.xps " 13379427 5841470000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)
- svchost.exe (PID: 7464 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
{"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.\r\n\r\n>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a cold wallet, such as https://electrum.org/ or any other cold cryptocurrency wallet, more details on https://bitcoin.org By paying the ransom from your personal cold cryptocurrency wallet, you will avoid any problems from regulators, police and brokers.\r\n\r\n>>>>> Don't be afraid of any legal consequences, you were very scared, that's why you followed all our instructions, it's not your fault if you are very scared. Not a single company that paid us has had issues. Any excuses are just for insurance company to not pay on their obligation.\r\n\r\n>>>>> You need to contact us via TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you: \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://fmtvvg3x5rs7tagzcytmfmffnihnte6gllkljufyz534hfpqhfyg2dad.onion\r\n\r\nTor Browser Links for CHAT \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion\r\nhttp://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion\r\nhttp://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion\r\nhttp://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion\r\nhttp://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>> Your personal identifier to communicate with us ID: 5150CB33290ED8C9162EF14B17D217D6 <<<<<\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\n>>>>> Want a lamborghini, a ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion\r\nhttp://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion\r\nhttp://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion\r\nhttp://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion\r\nhttp://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion\r\n\r\nVersion: LockBitBlack4.0-rc-001\r\n"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Windows_Ransomware_Lockbit_369e1e94 | unknown | unknown |
| |
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
Windows_Ransomware_Lockbit_369e1e94 | unknown | unknown |
| |
Click to see the 10 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): |
Source: | Author: frack113: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |