分析者: Bren Matthew Ebriega   

 :

Ransom:Win32/Lockbit.AA!MTB (MICROSOFT); W32/Lockbit.C2F8!tr.ransom (FORTINET)

 平台:

Windows

 总体风险等级:
 潜在破坏:
 潜在分布:
 感染次数:
 信息暴露:

  • 恶意软件类型:
    Ransomware

  • 有破坏性?:
    没有

  • 加密?:
    是的

  • In the Wild:
    是的

  概要

感染途徑: 从互联网上下载

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  技术详细信息

文件大小: 883,200 bytes
报告日期: EXE
内存驻留: 是的
初始樣本接收日期: 2021年7月23日
Payload: 禁用服务, 显示消息/消息框, 终止进程

新病毒详细信息

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

安装

它植入下列文件:

  • %User Temp%\{4 Hex Characters}.tmp.bmp → Used as Wallpaper.

(注意: %User Temp% 是当前用户的 Temp 文件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)

它添加下列进程:

  • %System%\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • %System%\mshta.exe %Desktop%\LockBit_Ransomware.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  • %System%\cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "{Malware Filepath}\{Malware Filename}" & Del /f /q "{Malware Filepath}\{Malware Filename}"

(注意: %System% 是 Windows 的 system 文件夹,通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。. %Desktop% 是当前用户的桌面,通常位于 C:\Windows\Profiles\{user name}\Desktop (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Desktop (Windows NT)、C:\Documents and Settings\{User Name}\桌面 (Windows 2000(32-bit)、XP 和 Server 2003(32-bit)) 和 C:\Users\{user name}\Desktop (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit))。)

它添加下列互斥条目,确保一次只会运行一个副本:

  • {D028A5BF-D028-A31F-9BF8-DBCBCB5CDB55}

自启动技术

它添加下列注册表项,在系统每次启动时自行执行:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{F068DCBF-2828-A337-9BF8-9BCB3D5CBF55} = {Malware Filepath}\{Malware Filename}.exe

其他系统修改

它添加下列注册表项:

HKEY_CURRENT_USER\Software\7D68A5BF281FF8
Private = {Hex Values}

HKEY_CURRENT_USER\Software\7D68A5BF281FF8
Public = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.lockbit
(Default) = Lockbit

HKEY_CLASSES_ROOT\Lockbit
(Default) = Lockbit Class

HKEY_CLASSES_ROOT\Lockbit\DefaultIcon
(Default) = %System%\{random}.ico

HKEY_CLASSES_ROOT\Lockbit\shell\
Open\Command
(Default) = %System%\mshta.exe %Desktop%\LockBit_Ransomware.hta

它通过修改下列注册表项,更改桌面壁纸:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{4 Hex Characters}.tmp.bmp

HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = 2

HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = 0

它将系统的桌面壁纸设置为下列图像:

进程终止

它终止在受感染的系统上运行的下列服务:

  • AcronisAgent
  • AcrSch2Svc
  • ARSM
  • backup
  • BackupExecAgentAccelerator
  • BackupExecAgentBrowser
  • BackupExecDiveciMediaService
  • BackupExecJobEngine
  • BackupExecManagementService
  • BackupExecRPCService
  • BackupExecVSSProvider
  • bedbg
  • CAARCUpdateSvc
  • CASAD2DWebSvc
  • ccEvtMgr
  • ccSetMgr
  • Culserver
  • dbeng8
  • dbsrv12
  • DefWatch
  • FishbowlMySQL
  • Intuit.QuickBooks.FCS
  • memtas
  • mepocs
  • MSExchange
  • MSExchange$
  • msftesql-Exchange
  • msmdsrv
  • MSSQL
  • MSSQL$
  • MSSQL$KAV_CS_ADMIN_KIT
  • MSSQL$MICROSOFT##SSEE
  • MSSQL$MICROSOFT##WID
  • MSSQL$MICROSOFT##WID
  • MSSQL$SBSMONITORING
  • MSSQL$SHAREPOINT
  • MSSQL$VEEAMSQL2012
  • MSSQLFDLauncher$SBSMONITORING
  • MSSQLFDLauncher$SHAREPOINT
  • MSSQLServerADHelper100
  • MVArmor
  • MVarmor64
  • MySQL57
  • PDVFSService
  • QBCFMonitorService
  • QBFCService
  • QBIDPService
  • QBVSS
  • RTVscan
  • SavRoam
  • sophos
  • sql
  • sqladhlp
  • SQLADHLP
  • sqlagent
  • SQLAgent$KAV_CS_ADMIN_KIT
  • SQLAgent$SBSMONITORING
  • SQLAgent$SHAREPOINT
  • SQLAgent$VEEAMSQL2012
  • sqlbrowser
  • SQLBrowser
  • Sqlservr
  • SQLWriter
  • stc_raw_agent
  • svc$
  • tomcat6
  • veeam
  • VeeamDeploymentService
  • VeeamNFSSvc
  • VeeamTransportSvc
  • vmware-converter
  • vmware-usbarbitator64
  • VSNAPVSS
  • vss
  • wrapper
  • WSBExchange
  • YooBackup
  • YooIT
  • zhudongfangyu

它终止在受感染的系统内存中运行的下列进程:

  • 360doctor.exe
  • 360se.exe
  • acwebbrowser.exe
  • ADExplorer.exe
  • ADExplorer64.exe
  • ADExplorer64a.exe
  • Adobe CEF.exe
  • Adobe Desktop Service.exe
  • AdobeCollabSync.exe
  • AdobeIPCBroker.exe
  • agntsvc.exe
  • AutodeskDesktopApp.exe
  • Autoruns.exe
  • Autoruns64.exe
  • Autoruns64a.exe
  • Autorunsc.exe
  • Autorunsc64.exe
  • Autorunsc64a.exe
  • avz.exe
  • axlbridge.exe
  • bedbh.exe
  • benetns.exe
  • bengien.exe
  • beserver.exe
  • BrCcUxSys.exe
  • BrCtrlCntr.exe
  • CagService.exe
  • CoreSync.exe
  • Creative Cloud.exe
  • Culture.exe
  • dbeng50.exe
  • dbsnmp.exe
  • Defwatch.exe
  • DellSystemDetect.exe
  • dumpcap.exe
  • encsvc.exe
  • EnterpriseClient.exe
  • excel.exe
  • fbguard.exe
  • fbserver.exe
  • fdhost.exe
  • fdlauncher.exe
  • GDscan.exe
  • GlassWire.exe
  • GWCtlSrv.exe
  • Helper.exe
  • httpd.exe
  • infopath.exe
  • InputPersonalization.exe
  • isqlplussvc.exe
  • j0gnjko1.exe
  • java.exe
  • koaly-exp-engine-service.exe
  • msaccess.exe
  • MsDtSrvr.exe
  • mspub.exe
  • mydesktopqos.exe
  • mydesktopservice.exe
  • mysqld.exe
  • node.exe
  • notepad.exe
  • notepad++.exe
  • ocautoupds.exe
  • ocomm.exe
  • ocssd.exe
  • onenote.exe
  • ONENOTEM.exe
  • oracle.exe
  • outlook.exe
  • powerpnt.exe
  • ProcessHacker.exe
  • Procexp.exe
  • Procexp64.exe
  • procexp64a.exe
  • procmon.exe
  • procmon64.exe
  • procmon64a.exe
  • pvlsvr.exe
  • QBDBMgr.exe
  • QBDBMgrN.exe
  • QBIDPService.exe
  • qbupdate.exe
  • QBW32.exe
  • Raccine.exe
  • Raccine_x86.exe
  • RaccineElevatedCfg.exe
  • RaccineSettings.exe
  • RAgui.exe
  • raw_agent_svc.exe
  • RdrCEF.exe
  • RTVscan.exe
  • sam.exe
  • Simply.SystemTrayIcon.exe
  • SimplyConnectionManager.exe
  • sqbcoreservice.exe
  • sqlbrowser.exe
  • sqlmangr.exe
  • Sqlservr.exe
  • Ssms.exe
  • steam.exe
  • supervise.exe
  • sync-taskbar.exe
  • synctime.exe
  • sync-worker.exe
  • Sysmon.exe
  • Sysmon64.exe
  • SystemExplorer.exe
  • SystemExplorerService.exe
  • SystemExplorerService64.exe
  • tbirdconfig.exe
  • tcpview.exe
  • tcpview64.exe
  • tcpview64a.exe
  • tdsskiller.exe
  • TeamViewer.exe
  • TeamViewer_Service.exe
  • thebat.exe
  • thunderbird.exe
  • TitanV.exe
  • tomcat6.exe
  • Totalcmd.exe
  • Totalcmd64.exe
  • tv_w32.exe
  • tv_x64.exe
  • VeeamDeploymentSvc.exe
  • visio.exe
  • vsnapvss.exe
  • vxmon.exe
  • wdswfsafe.exe
  • winword.exe
  • WireShark.exe
  • wordpad.exe
  • wsa_service.exe
  • wxServer.exe
  • wxServerView.exe
  • xfssvccon.exe
  • ZhuDongFangYu.exe

其他详细信息

它添加下列注册表键值:

HKEY_CURRENT_USER\Software\7D68A5BF281FF8

该程序执行以下操作:

  • It has the capability to print the ransom note in infected machines.
  • It encrypts files found in the following drive types:
    • Fixed drive
    • Removable drive
    • Network drive
    • RAM Disks

  解决方案

最小扫描引擎: 9.800
First VSAPI Pattern File: 16.860.08
VSAPI 第一样式发布日期: 2021年7月23日
VSAPI OPR样式版本: 16.861.00
VSAPI OPR样式发布日期: 2021年7月24日

Step 2

对于Windows ME和XP用户,在扫描前,请确认已禁用系统还原功能,才可全面扫描计算机。

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

删除该注册表值

[ 更多 ]

注意事项:错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者,请先阅读Microsoft文章,然后再修改计算机注册表。

 
  • In HKEY_CURRENT_USER\Software\7D68A5BF281FF8
    • Private = {Hex Values}
  • In HKEY_CURRENT_USER\Software\7D68A5BF281FF8
    • Public = {Hex Values}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lockbit
    • (Default) = Lockbit
  • In HKEY_CLASSES_ROOT\Lockbit
    • (Default) = Lockbit Class
  • In HKEY_CLASSES_ROOT\Lockbit\DefaultIcon
    • (Default) = %System%\{random}.ico
  • In HKEY_CLASSES_ROOT\Lockbit\shell\Open\Command
    • (Default) = %System%\mshta.exe %Desktop%\LockBit_Ransomware.hta

Step 5

删除该注册表键值

[ 更多 ]

注意事项:错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者,请先阅读Microsoft文章,然后再修改计算机注册表。

  • In HKEY_CURRENT_USER\Software\
    • 7D68A5BF281FF8

Step 6

搜索和删除该文件

[ 更多 ]
有些组件文件可能是隐藏的。请确认在高级选项中已选中搜索隐藏文件和文件夹复选框,使查找结果包括所有隐藏文件和文件夹。
  • %User Temp%\{4 Hex Characters}.tmp.bmp
  • %Desktop%\Lockbit_Ransomware.hta
  • {Encrypted Directory}\Restore-My-Files.txt

Step 7

使用亚信安全产品扫描计算机,并删除检测到的Ransom.Win32.LOCKBIT.YEBGW文件 如果检测到的文件已被亚信安全产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。

Step 8

重置桌面壁纸

[ 更多 ]

Step 9

Restore encrypted files from backup.