Ransom.Win32.LOCKBIT.EOD

2023年5月11日

分(fēn)析者: Melvin Jhun Palbusa

平台:

Windows

总體(tǐ)风险等级:

潜在破坏:

潜在分(fēn)布:

感染次数:

信息暴露:

恶意软件类型:
Ransomware
有(yǒu)破坏性？:
没有(yǒu)
加密？:
是的
In the Wild:
是的

概要

感染途徑: ???????, ?????????

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

技(jì )术详细信息

文(wén)件大小(xiǎo): 450,459 bytes

报告日期: EXE

内存驻留: 没有(yǒu)

初始樣本接收日期: 2023年5月1日

Payload: ???????, ????/???

???????

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

???????????:

explorer.exe
notepad.exe

?????

???????:

%ProgramData%\Ck8GvVQ9E.ico

??????

???????????????????:

HKEY_LOCALMACHINE\SOFTWARE\Classes\
Ck8GvVQ9E\DefaultIcon
(Default) = %ProgramData%Ck8GvVQ9E.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.Ck8GvVQ9E
(Default) = Ck8GvVQ9E

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = 0x00000027(39)

?????????????????????:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.Ck8GvVQ9E

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Ck8GvVQ9E

HKEY_LOCALMACHINE\SOFTWARE\Classes\
Ck8GvVQ9E\DefaultIcon

????

????????????????????:

agntsvc
calc
dbeng50
dbsnmp
encsvc
excel
firefox
infopath
isqlplussvc
msaccess
mspub
mydesktopqos
mydesktopservice
notepad
ocautoupds
ocomm
ocssd
onedrive
onenote
oracle
outlook
powerpnt
sqbcoreservice
sql
steam
synctime
tbirdconfig
thebat
thunderbird
visio
winword
wordpad
wuauclt
xfssvccon

??????

??????????????:

LBB.bin ? Encrypted Lockbit Ransomware

?????????:

If not executed with admin rights, it will attempt relaunch itself as admin by elevating its privileges via bypassing UAC.
It encrypts fixed, removable and network drives
It deletes files in recycle bin folder for removable and fixed drives
它使用(yòng) WQL 来删除快照副本
It terminates if the machine has the following system language:
- Arabic (Syria)
- Armenian
- Azerbaijani (Cyrillic)
- Azerbaijani (Latin)
- Belarusian
- Georgian
- Kazakh
- Kyrgyz (Cyrillic)
- Romanian (Moldova)
- Russian
- Russian (Moldova)
- Tajik
- Tatar
- Turkmen
- Ukrainian
- Uzbek (Cyrillic)
- Uzbek (Latin)
It deletes services with the following strings:
- backup
- GxBlr
- GxCIMgr
- GxCVD
- GxFWD
- GxVss
- memtas
- mepocs
- msexchange
- sophos
- sql
- svc$
- veeam
- vss
It deletes the following services:
- WdBoot
- WdFilter
- WdNisDrv
- WdNisSvc
- WinDefend
- wscsvc
- sppsvc
- Sense
- SecurityHealthService
Change the icon of encrypted file with %ProgramData%\Ck8GvVQ9E.ico

解决方案

最小(xiǎo)扫描引擎: 9.800

First VSAPI Pattern File: 18.436.04

VSAPI 第一样式发布日期: 2023年5月10日

VSAPI OPR样式版本: 18.437.00

VSAPI OPR样式发布日期: 2023年5月11日

Step 1

??Windows ME?XP??,????,????????????,??????????

Step 2

????????

[ 更多(duō) ]

??????????????????????????????????????,??????????????????

%ProgramData%\Ck8GvVQ9E.ico

Step 3

????????

[ 更多(duō) ]

????:????Windows???????????????????????????????????????????,????Microsoft??,????????????

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
- .Ck8GvVQ9E
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
- Ck8GvVQ9E
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ck8GvVQ9E\
- DefaultIcon

Step 4

???????

[ 更多(duō) ]

????:????Windows???????????????????????????????????????????,????Microsoft??,????????????

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Ck8GvVQ9E
- (Default) = Ck8GvVQ9E
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ck8GvVQ9E\DefaultIcon
- (Default) = %ProgramData%Ck8GvVQ9E.ico
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
- Explorer GlobalAssocChangedCounter = 0x00000027(39)

Step 5

?????????????,???????Ransom.Win32.LOCKBIT.EOD?? ????????????????????????,????????????????????????????????????????