Lockbit Ransomware, Why You No Spread? - The DFIR Report
Tags
Common Information
| Type | Value |
|---|---|
| UUID | ff29503f-0ed2-4c74-ae6f-f09c3230d58e |
| Fingerprint | 4433aa7bacbfe076 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 10, 2020, 2:22 p.m. |
| Added to db | Jan. 24, 2023, 2:14 p.m. |
| Last updated | Nov. 18, 2024, 4:35 a.m. |
| Headline | Lockbit Ransomware, Why You No Spread? |
| Title | Lockbit Ransomware, Why You No Spread? - The DFIR Report |
| Detected Hints/Tags/Attributes | 38/2/53 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 88 | app.any.run |
|
| Details | Domain | 74 | thedfirreport.com |
|
| Details | Domain | 67 | microsoft.windows |
|
| Details | Domain | 73 | schemas.microsoft.com |
|
| Details | Domain | 5 | lockbit-decryptor.com |
|
| Details | Domain | 179 | www.torproject.org |
|
| Details | Domain | 9 | tb-manual.torproject.org |
|
| Details | Domain | 9 | lockbitks2tvnmwk.onion |
|
| Details | Domain | 9 | bridges.torproject.org |
|
| Details | File | 14 | %appdata%\svchost.exe |
|
| Details | File | 48 | c:\\windows\\system32\\cmd.exe |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 2 | c:\users\admin\appdata\roaming\svchost.exe |
|
| Details | File | 1 | 9689a16b72d48dab.exe |
|
| Details | File | 3 | screensaver.exe |
|
| Details | File | 1 | desktop_locker.exe |
|
| Details | File | 1 | f:\\projelerim\\hakops keylogger\\v15\\server\\hk15sw.vb |
|
| Details | File | 1 | vba6.dll |
|
| Details | File | 1 | c:\\windows\\syswow64\\msvbvm60.dll |
|
| Details | File | 1 | connections.txt |
|
| Details | File | 1 | listesi.txt |
|
| Details | File | 20 | screenshot.jpg |
|
| Details | File | 10 | simply.sys |
|
| Details | md5 | 1 | 50f8f376d4b53027920f2a6fa5845efb |
|
| Details | md5 | 1 | 5b741c6abf44d2eecd853addeafdcf24 |
|
| Details | md5 | 1 | f9073cc6566ba11318b425a761f1ce17 |
|
| Details | md5 | 1 | 3fdb0650e8607422d0624242575f61f2 |
|
| Details | md5 | 1 | 692042adb1ddf54508674aa2ffb4c50b |
|
| Details | md5 | 1 | 11966c50203457b60a57ef0419cb4ef9 |
|
| Details | sha1 | 1 | ce4614fe2e01c8e4feaf7c79c6a1c70697d89cd3 |
|
| Details | sha1 | 1 | 51b88dbb3d241709c25943928fefc1b1909768df |
|
| Details | sha1 | 1 | d378ce237e83314c9844b4e6ce4867e2783737db |
|
| Details | sha256 | 1 | 27772574d00fef60de5251b2438db57b3a2645bd70e4aab13c84894844ba173f |
|
| Details | sha256 | 1 | f173904cf7d15c9c52f22813cb846814f9292227f4321d497cbf14adc05151f4 |
|
| Details | sha256 | 1 | c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68 |
|
| Details | IPv4 | 1 | 165.231.142.36 |
|
| Details | IPv4 | 1 | 185.86.76.30 |
|
| Details | IPv4 | 25 | 6.0.0.0 |
|
| Details | IPv4 | 11 | 127.0.0.7 |
|
| Details | Url | 1 | https://app.any.run/tasks/b4b9f9ac-64e9-43ad-8521-482f25bfb681 |
|
| Details | Url | 1 | https://app.any.run/tasks/e52865be-167e-4b51-b5f8-8cf9e9415e22 |
|
| Details | Url | 1 | https://app.any.run/tasks/5ee821d9-d8c0-418c-ba14-d47567e9a0a0 |
|
| Details | Url | 1 | https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread |
|
| Details | Url | 1 | http://schemas.microsoft.com/cdo |
|
| Details | Url | 1 | http://lockbit-decryptor.com/? |
|
| Details | Url | 63 | https://www.torproject.org |
|
| Details | Url | 7 | https://tb-manual.torproject.org/about |
|
| Details | Url | 5 | http://lockbitks2tvnmwk.onion/? |
|
| Details | Url | 7 | https://bridges.torproject.org |
|
| Details | Windows Registry Key | 104 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows |
|
| Details | Yara rule | 1 | import "pe"
rule screensaver_desktop_locker {
meta:
description = "exe - file screensaver.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68"
strings:
$x1 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" language=\"*\" processorArchitec"
$s2 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" language=\"*\" processorArchitec"
$s3 = "Desktop_Locker.exe" wide fullword
$s4 = "KeyEx~+" ascii fullword
$s5 = "xkernel32" ascii fullword
$s6 = "re=\"*\" publicKeyToken=\"6595b64144ccf1df\"></assemblyIdentity>" ascii fullword
$s7 = "_logb'yn=d" ascii fullword
$s8 = "ComplPe " ascii fullword
$s9 = "tNhitmP" ascii fullword
$s10 = "RUNpKI;" ascii fullword
$s11 = ".UserObjectInform1Wf;" ascii fullword
$s12 = "QUNICOD" ascii fullword
$s13 = "LPTX999" ascii fullword
$s14 = "allsig" ascii fullword
$s15 = "xaqfwd" ascii fullword
$s16 = "Gpm* YN" ascii fullword
$s17 = "6VVhU\\ " ascii fullword
$s18 = "#G3;\\0ANIi7j\\" ascii fullword
$s19 = "UnkJwn excz`>o" ascii fullword
$s20 = "dfgxA v" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 800KB and (pe.imphash() == "3fdb0650e8607422d0624242575f61f2" or (1 of ($x*) or 4 of them))
} |
|
| Details | Yara rule | 1 | import "pe"
rule HAKOPS_keylogger_15 {
meta:
description = "HAKOPSA keylogger 15 exe - file svchost.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "27772574d00fef60de5251b2438db57b3a2645bd70e4aab13c84894844ba173f"
strings:
$x1 = "A*\\AF:\\Projelerim\\HAKOPS Keylogger\\v15\\Server\\hk15sw.vbp" wide fullword
$s2 = "FC:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VBA6.dll" ascii fullword
$s3 = "HAKOPS Keylogger 15 - KAYITLAR - [" wide fullword
$s4 = "HAKOPS Keylogger 15 - SERVER AKTIF EDILDI - [" wide fullword
$s5 = "C:\\Windows\\SysWOW64\\msvbvm60.dll\\3" ascii fullword
$s6 = "<td><span style=\"color:#3C87AF;\">HAKOPS Keylogger 15</span></td>" ascii fullword
$s7 = "00\">HAKOPS Keylogger</p></td>" ascii fullword
$s8 = "<title>HAKOPS Keylogger 15</title>" ascii fullword
$s9 = "http://schemas.microsoft.com/cdo/" wide fullword
$s10 = "<!-- Identify the application security requirements: Vista and above -->" ascii fullword
$s11 = "\\TeamViewer\\Connections.txt" wide fullword
$s12 = "o en el password " wide fullword
$s13 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" ascii fullword
$s14 = "<td><p style=\"color:#ffffff;font-family:Arial,Helvetica,sans-serif;font-size:18px;margin-left:30px;font-weight:700\">HAKOPS Key"
$s15 = "\\TeamViewer Baglanti Listesi.txt" wide fullword
$s16 = "configuration/smtpauthenticate" wide fullword
$s17 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName" wide fullword
$s18 = "regread" wide fullword
$s19 = "ScreenShot.jpg" wide fullword
$s20 = " <b><font color='DarkGreen'>" wide fullword
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (pe.imphash() == "692042adb1ddf54508674aa2ffb4c50b" or (1 of ($x*) or 4 of them))
} |
|
| Details | Yara rule | 1 | import "pe"
rule sig_9689A16B72D48DAB_lockbit_ransomware {
meta:
description = "exe - file 9689A16B72D48DAB.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "f173904cf7d15c9c52f22813cb846814f9292227f4321d497cbf14adc05151f4"
strings:
$s1 = "y /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" wide fullword
$s2 = "# lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site" ascii fullword
$s3 = "| 1. Open link http://lockbit-decryptor.com/?" ascii fullword
$s4 = "| 1. Download Tor browser - https://www.torproject.org/ and install it." ascii fullword
$s5 = "BackupExecDiveciMediaService" ascii fullword
$s6 = "BackupExecRPCService" ascii fullword
$s7 = "BackupExecManagementService" ascii fullword
$s8 = "Killed process: %s [pid: %ld]" ascii fullword
$s9 = "# Tor Browser user manual https://tb-manual.torproject.org/about" ascii fullword
$s10 = "BackupExecAgentBrowser" ascii fullword
$s11 = "BackupExecAgentAccelerator" ascii fullword
$s12 = "BackupExecVSSProvider" ascii fullword
$s13 = "BackupExecJobEngine" ascii fullword
$s14 = "Debug Privilege: OK" ascii fullword
$s15 = "2) Through a Tor Browser - recommended" ascii fullword
$s16 = "Getting session keys from registry" ascii fullword
$s17 = "Process created with limited rights" ascii fullword
$s18 = "| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?" ascii fullword
$s19 = "# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VP"
$s20 = "Simply.SystemTrayIcon" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (pe.imphash() == "11966c50203457b60a57ef0419cb4ef9" or 8 of them)
} |