Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:732631
MD5:4e52098915028fb63cf4f1205a1730fa
SHA1:719b2a14e70d2913fd4ec4c403a586741fe64a10
SHA256:367f5b45da98215ff297e0856e4a961c9e831e4f06457f16453f60d0cf407449
Tags:exe
Infos:

Detection

LockBit ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Malicious sample detected (through community Yara rule)
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes many files with high entropy
Writes a notice file (html or txt) to demand a ransom
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Contains functionality to clear windows event logs (to hide its activities)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
PE file contains an invalid checksum
Enables security privileges
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • file.exe (PID: 5216 cmdline: C:\Users\user\Desktop\file.exe MD5: 4E52098915028FB63CF4F1205A1730FA)
    • splwow64.exe (PID: 4936 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • cleanup
{"URL": "http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion", "Ransom Note": "\r\n            ~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~\r\n\r\n>>>> Your data are stolen and encrypted\r\n\r\n\tThe data will be published on TOR website if you do not pay the ransom \r\n\r\n\tLinks for Tor Browser:\r\n\thttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion\r\n\thttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion\r\n\thttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion\r\n\thttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion\r\n\thttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion\r\n\thttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion\r\n\thttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion\r\n\thttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion\r\n\thttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion\r\n\r\n\tLinks for the normal browser\r\n\thttp://lockbitapt.uz\r\n\thttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly\r\n\thttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly\r\n\thttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly\r\n\thttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly\r\n\thttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly\r\n\thttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly\r\n\thttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly\r\n\thttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly\r\n\thttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly\r\n\r\n\r\n>>>> What guarantees that we will not deceive you? \r\n\r\n\tWe are not a politically motivated group and we do not need anything other than your money. \r\n    \r\n\tIf you pay, we will provide you the programs for decryption and we will delete your data. \r\n\tLife is too short to be sad. Be not sad, money, it is only paper.\r\n    \r\n\tIf we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. \r\n\tTherefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.\r\n    \r\n\tYou can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live\r\n    \r\n\r\n>>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID\r\n\r\n\tDownload and install TOR Browser https://www.torproject.org/\r\n\tWrite to a chat and wait for the answer, we will always answer you. \r\n\tSometimes you will need to wait for our answer because we attack many companies.\r\n\t\r\n\tLinks for Tor Browser:\r\n\thttp://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion\r\n\thttp://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion\r\n\thttp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion\r\n\r\n\tLink for the normal browser\r\n\thttp://lockbitsupp.uz\r\n\t\r\n\tIf you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox.\r\n\t\r\n\tTox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7\r\n\tXMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz\r\n\t\r\n>>>> Your personal DECRYPTION ID: 4B54F00988F20AA67F36E73B2C690276\r\n\r\n>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!\r\n\r\n>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!\r\n\r\n\r\n>>>> Advertisement\r\n\t\r\n\tWould you like to earn millions of dollars $$$ ?\r\n\r\n\tOur company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. \r\n\tYou can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. \r\n\tOpen our letter at your email. Launch the provided virus on any computer in your company.\r\n\r\n\tYou can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us.\r\n\r\n\tCompanies pay us the foreclosure for the decryption of files and prevention of data leak.\r\n\r\n\tYou can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. \r\n\tUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.\r\n\r\n\tIf you want to contact us, write in jabber or tox. \r\n\t\r\n\tTox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7\r\n\tXMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz\r\n\t\r\n\tIf this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser \r\n\t\r\n\tLinks for Tor Browser:\r\n\thttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion\r\n\thttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion\r\n\thttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion\r\n\thttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion\r\n\thttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion\r\n\thttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion\r\n\thttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion\r\n\thttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion\r\n\thttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion\r\n\r\n\t\r\n\tLinks for the normal browser\r\n\thttp://lockbitapt.uz\r\n\thttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly\r\n\thttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly\r\n\thttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly\r\n\thttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly\r\n\thttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly\r\n\thttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly\r\n\thttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly\r\n\thttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly\r\n\thttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly"}
SourceRuleDescriptionAuthorStrings
file.exeWindows_Ransomware_Lockbit_369e1e94unknownunknown
  • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
  • 0x4d4:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
SourceRuleDescriptionAuthorStrings
00000000.00000003.348122024.00000000008E5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    00000000.00000003.351537079.00000000008CD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      00000000.00000003.340156127.00000000008CD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
        00000000.00000003.348024418.00000000008E5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
          00000000.00000003.292192937.00000000008DA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
            Click to see the 126 entries
            SourceRuleDescriptionAuthorStrings
            0.3.file.exe.95ad4c.0.raw.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
            • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
            • 0x4d4:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
            0.0.file.exe.d00000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
            • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
            • 0x4d4:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
            0.2.file.exe.d00000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
            • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
            • 0x4d4:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: file.exeReversingLabs: Detection: 78%
            Source: file.exeAvira: detected
            Source: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionAvira URL Cloud: Label: malware
            Source: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.lyAvira URL Cloud: Label: malware
            Source: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onionAvira URL Cloud: Label: malware
            Source: file.exeJoe Sandbox ML: detected
            Source: 0.3.file.exe.95ad4c.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.2.file.exe.d00000.0.unpackAvira: Label: BDS/ZeroAccess.Gen7
            Source: 0.0.file.exe.d00000.0.unpackAvira: Label: BDS/ZeroAccess.Gen7
            Source: g0sOhfQ0Z.README.txt176.0.drMalware Configuration Extractor: Lockbit {"URL": "http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion", "Ransom Note": "\r\n ~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~\r\n\r\n>>>> Your data are stolen and encrypted\r\n\r\n\tThe data will be published on TOR website if you do not pay the ransom \r\n\r\n\tLinks for Tor Browser:\r\n\thttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion\r\n\thttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion\r\n\thttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion\r\n\thttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion\r\n\thttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion\r\n\thttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion\r\n\thttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion\r\n\thttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion\r\n\thttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion\r\n\r\n\tLinks for the normal browser\r\n\thttp://lockbitapt.uz\r\n\thttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly\r\n\thttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly\r\n\thttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly\r\n\thttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly\r\n\thttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly\r\n\thttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly\r\n\thttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly\r\n\thttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly\r\n\thttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly\r\n\r\n\r\n>>>> What guarantees that we will not deceive you? \r\n\r\n\tWe are not a politically motivated group and we do not need anything other than your money. \r\n \r\n\tIf you pay, we will provide you the programs for decryption and we will delete your data. \r\n\tLife is too short to be sad. Be not sad, money, it is only paper.\r\n \r\n\tIf we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. \r\n\tTherefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.\r\n \r\n\tYou can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live\r\n \r\n\r\n>>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID\r\n\r\n\tDownload and install TOR Browser https://www.torproject.org/\r\n\tWrite to a chat and wait for the answer, we will always answer you. \r\n\tSometimes you will need to wait for our answer because we attack many companies.\r\n\t\r\n\tLinks for Tor Browser:\r\n\thttp://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion\r\n\thttp://lockbitsupuhswh4izvoucoxsbnot
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\file.exeFile created: C:\g0sOhfQ0Z.README.txtJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\g0sOhfQ0Z.README.txtJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\g0sOhfQ0Z.README.txtJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Videos\g0sOhfQ0Z.README.txtJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Searches\g0sOhfQ0Z.README.txtJump to behavior
            Source: C:\Users\user\Desktop\file.exe