import "pe"

rule sig_9689A16B72D48DAB_lockbit_ransomware {
	meta:
		description = "exe - file 9689A16B72D48DAB.exe"
		author = "DFIR Report"
		reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
		date = "2020-06-10"
		hash1 = "f173904cf7d15c9c52f22813cb846814f9292227f4321d497cbf14adc05151f4"
	strings:
		$s1 = "y /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" wide fullword
		$s2 = "# lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site" ascii fullword
		$s3 = "| 1. Open link http://lockbit-decryptor.com/?" ascii fullword
		$s4 = "| 1. Download Tor browser - https://www.torproject.org/ and install it." ascii fullword
		$s5 = "BackupExecDiveciMediaService" ascii fullword
		$s6 = "BackupExecRPCService" ascii fullword
		$s7 = "BackupExecManagementService" ascii fullword
		$s8 = "Killed process: %s [pid: %ld]" ascii fullword
		$s9 = "# Tor Browser user manual https://tb-manual.torproject.org/about" ascii fullword
		$s10 = "BackupExecAgentBrowser" ascii fullword
		$s11 = "BackupExecAgentAccelerator" ascii fullword
		$s12 = "BackupExecVSSProvider" ascii fullword
		$s13 = "BackupExecJobEngine" ascii fullword
		$s14 = "Debug Privilege: OK" ascii fullword
		$s15 = "2) Through a Tor Browser - recommended" ascii fullword
		$s16 = "Getting session keys from registry" ascii fullword
		$s17 = "Process created with limited rights" ascii fullword
		$s18 = "| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?" ascii fullword
		$s19 = "# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VP"
		$s20 = "Simply.SystemTrayIcon" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 400KB and (pe.imphash() == "11966c50203457b60a57ef0419cb4ef9" or 8 of them)
}