LockBit Ransomware v2.0
Tags
cmtmf-attack-pattern: Masquerading
country: Armenia Azerbaijan Belarus Belgium Georgia Kazakhstan Kyrgyzstan Laos Moldova Tajikistan Uzbekistan Russia Togo Tokelau Turkmenistan Ukraine
attack-pattern: Data Direct Model Bypass User Account Control - T1548.002 Control Panel - T1218.002 Dns - T1071.004 Dns - T1590.002 Domain Account - T1087.002 Domain Account - T1136.002 Domains - T1583.001 Domains - T1584.001 Impersonation - T1656 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Msbuild - T1127.001 Mshta - T1218.005 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Sharepoint - T1213.002 Software - T1592.002 Tool - T1588.002 Bypass User Account Control - T1088 Masquerading - T1036 Mshta - T1170 Powershell - T1086 Masquerading
Show in Graph
Common Information
Type Value
UUID 4edc3c33-54b3-47f2-a954-83de7f8b4d5b
Fingerprint ac382d13c0b886c2
Analysis status DONE
Considered CTI value 1
Text language
Published March 19, 2022, midnight
Added to db Aug. 31, 2024, 12:04 a.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline LockBit Ransomware v2.0
Title LockBit Ransomware v2.0
Detected Hints/Tags/Attributes 165/3/86
Source URLs
Redirection Url
Details Redirection https://cdong1012.github.io//reverse%20engineering/2022/03/19/LockbitRansomware/
Details Source https://chuongdong.com//reverse%20engineering/2022/03/19/LockbitRansomware/
Details Source https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/
URL Provider
Details Provider Source level domain
Details chuongdong.com chuongdong.com
Details github.io cdong1012.github.io
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 84 Chuong Dong https://chuongdong.com/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 110 
exploit.in
Details Domain 40 
xss.is
Details Domain 10 
privatlab.net
Details Domain 24 
anonfiles.com
Details Domain 29 
sendspace.com
Details Domain 9 
fex.net
Details Domain 71 
transfer.sh
Details Domain 13 
send.exploit.in
Details Domain 93 
bazaar.abuse.ch
Details Domain 397 
www.microsoft.com
Details Domain 150 
www.w3.org
Details Domain 285 
microsoft.net
Details Domain 189 
asec.ahnlab.com
Details Domain 19 
www.trustedsec.com
Details Domain 10 
devblogs.microsoft.com
Details Domain 167 
www.ic3.gov
Details Domain 13 
www.prodaft.com
Details Domain 1 
libsodium.gitbook.io
Details File 6 
gpt.ini
Details File 38 
restore-my-files.txt
Details File 33 
gdiplus.dll
Details File 130 
ws2_32.dll
Details File 185 
shell32.dll
Details File 229 
advapi32.dll
Details File 291 
user32.dll
Details File 86 
ole32.dll
Details File 59 
netapi32.dll
Details File 1 
gpredit.dll
Details File 47 
oleaut32.dll
Details File 69 
shlwapi.dll
Details File 80 
msvcrt.dll
Details File 14 
activeds.dll
Details File 45 
mpr.dll
Details File 52 
bcrypt.dll
Details File 83 
crypt32.dll
Details File 53 
iphlpapi.dll
Details File 41 
wtsapi32.dll
Details File 9 
win32u.dll
Details File 11 
comdlg32.dll
Details File 40 
cryptbase.dll
Details File 21 
combase.dll
Details File 19 
winspool.drv
Details File 10 
simply.sys
Details File 1260 
explorer.exe
Details File 3 
networkshares.xml
Details File 6 
services.xml
Details File 6 
files.xml
Details File 13 
scheduledtasks.xml
Details File 4 
c:\windows\system32\taskkill.exe
Details File 24 
xxx.exe
Details File 82 
taskkill.exe
Details File 16 
gpupdate.exe
Details File 1208 
powershell.exe
Details File 2125 
cmd.exe
Details File 30 
shutdown.exe
Details File 1 
c:\windows\system32\xxx.ico
Details File 36 
c:\windows\system32\mshta.exe
Details File 456 
mshta.exe
Details File 351 
recycle.bin
Details File 100 
ntuser.dat.log
Details File 99 
bootsect.bak
Details File 243 
autorun.inf
Details File 143 
thumbs.db
Details File 101 
iconcache.db
Details File 1 
220204.pdf
Details File 2 
010421_lockbit_interview.pdf
Details File 3 
lockbit_case_report___tlpwhite.pdf
Details md5 2 
63dcf75ad743b292e4a6cd067ffc2c18
Details sha256 4 
9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af
Details IPv4 11 
127.0.0.7
Details Url 1 
https://bazaar.abuse.ch/sample/9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af
Details Url 1 
http://www.microsoft.com/grouppolicy/commentdefinitions
Details Url 22 
http://www.w3.org/2001/xmlschema
Details Url 50 
http://www.w3.org/2001/xmlschema-instance
Details Url 1 
https://asec.ahnlab.com/en/17147
Details Url 2 
https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze
Details Url 2 
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
Details Url 1 
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies
Details Url 1 
https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113
Details Url 1 
https://www.ic3.gov/media/news/2022/220204.pdf
Details Url 1 
https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware
Details Url 1 
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_lockbit_interview.pdf
Details Url 3 
https://www.prodaft.com/m/reports/lockbit_case_report___tlpwhite.pdf
Details Url 1 
https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-006-acsc-ransomware-profile-lockbit-20
Details Url 1 
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-trends-lockbit-sodinokibi
Details Url 1 
https://libsodium.gitbook.io/doc/public-key_cryptography/authenticated_encryption