{
	"id": "2a1b36ef-2dfb-4a24-a4e4-8b96681e446c",
	"created_at": "2026-04-06T00:08:41.523494Z",
	"updated_at": "2026-04-10T03:20:29.453119Z",
	"deleted_at": null,
	"sha1_hash": "5b670e1d071b0380ee825d762f18eb68c52b6b3b",
	"title": "LockBit Ransomware Analysis Notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8650509,
	"plain_text": "LockBit Ransomware Analysis Notes\r\nBy Amged Wageh\r\nPublished: 2021-08-17 · Archived: 2026-04-05 19:34:14 UTC\r\nLockBit is a relatively new family of ransomware that has been discovered for the first time in 2019, and since\r\nthen, it keeps evolving in both the social and the technical aspects to keep up with the modern ransomware, for\r\nexample, in the newest versions, the ransom-note contains a threat to the victims to leak their private data if the\r\nvictim just restored his data from a backup and didn’t pay the ransom, they explicitly reminds them with the\r\nGDPR as a direct way of extortion, as for the technical aspect, they started using multi-threading to enhance the\r\nperformance of the malware and some other technical details that will be described in this story .\r\nSo, let’s take a closer look at a sample that have been recently published.\r\nSample Info.\r\nMD5: 5761ee98b1c2fea31b5408516a8929ea\r\nSHA1: 4d043df23e55088bfc04c14dfb9ddb329a703cc1\r\nSHA265: 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76\r\nCompiler Stamp: 0x5E4A2B92 (Sun Feb 16 21:58:42 2020)\r\nNOTE: This is the final payload so, we’ll directly dive into the real nefarious stuff of the malware.\r\nA Quick Look\r\nBy having a very quick look at the sample to get an idea of what kind of binary we’ll be dealing with, it appears\r\nthat the the section names are very normal, the entropy are a little high for the .text and the .rdata sections\r\nbut not that high, which indicates that most probably this binary is not packed however, it applies some\r\nobfuscation techniques.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 1 of 36\n\nThe Sections Entropy\r\nA Quick Behavioral Analysis\r\nNOTE: I usually give the binary any arbitrary name because I don’t know yet what kind of anti-analysis\r\ntechniques are being applied so, “lockbit.exe” and “anghami.exe” are the same binary. — just so you\r\ndon’t be confused if you’ve noticed that in that screenshots below.\r\nBy having a quick look at the process tree of the malware, we can see a bunch of dllhost.exe executions with\r\nCLSIDs of COM objects that are known to be vulnerable to UAC bypassing, one of them spawns the\r\nlockbit.exe process.\r\nPress enter or click to view image in full size\r\nUAC Bypassing\r\nAlso, we can easily notice that it tries to inhibit the system recovery by deleting the shadow copy, deleting the\r\nwindows backup catalog, and modifying the boot configuration to disable windows automatic recovery features.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 2 of 36\n\nPress enter or click to view image in full size\r\nThe Process Tree\r\nNeglecting the fact that we already know that we’re dealing with a ransomware, that behavior is a quick give away\r\nthat most probably this is the case.\r\nWe can also see that, for some reason, it tries to scan the network by sending a tons of ARP requests to the entire\r\nnetwork.\r\nPress enter or click to view image in full size\r\nNetwork Scanning\r\nAnd it will try to connect via port 445 (SMB)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 3 of 36\n\nSMB Connection\r\nRegarding the Registry, we’ll notice a huge amount of activities that are related to registry access and\r\nmodification, but the ones that we’re most interested in are the following keys,\r\nSOFTWARE\\LockBit\r\nSOFTWARE\\LockBit\\full\r\nSOFTWARE\\LockBit\\Public\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\XO1XADpO01\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nRegistry Modification\r\nFinally, the background will be changed and all the files will be encrypted and has the .lockbit extension.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 4 of 36\n\nChanging The Background\r\nAnd of course, the ransom-note will be dropped.\r\nPress enter or click to view image in full size\r\nDropping The Ransom-Note\r\nAnalysis Notes\r\nAfter performing a full static analysis to the sample and adding meaningful names to the variables and functions,\r\nadding few comments to the important sections of code, de-obfuscating the strings, and validating the results with\r\na full behavioral analysis, here is some interesting snippets from the malware that could help us understanding the\r\nbehavior of it and build detection for it.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 5 of 36\n\nAnti Debugging\r\nThe malware checks the NtGlobalFlag which exists in the PEB (Process Environment Block) at offset 0x68 to\r\nknow whether or no the process is being debugged. It performs a TEST to check the value of the flag, if it equals\r\n0x70 (which means the process is being debugged), the execution will be transferred to a block of code that\r\nexists the process.\r\nAnti Debugging\r\nAlso, The malware has multiple calls to Sleep with high number of seconds, this usually being done to avoid\r\nbeing automatically analyzed inside a free sandbox, as most of the free sandboxes limit the amount of execution\r\ntime to a limited number of minutes.\r\nToken Impersonation\r\nThe malware will try to impersonate the token of the logged on user via the physical console by firstly getting\r\nsession identifier of the console session by calling WTSGetActiveConsoleSessionId then it will pass that\r\nsessionId to WTSQueryUserToken to obtain the primary access token of the logged user, if it fails to get the\r\ntoken, it will create the process with the current security context by calling CreateProcessW however, if it\r\nmanages to get the user’s access token, it will duplicate the token by calling DuplicateTokenEx then it will use\r\nthe duplicate token to create the new process using CreateProcessAsUserW .\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 6 of 36\n\nToken Impersonation\r\nUsually malware use this technique for two reasons:\r\n1. privilege escalation: if the impersonated user has a higher privilege.\r\n2. defense evasion: to bypass access controls.\r\nString Obfuscation\r\nThis sample has all of its strings encrypted via a simple XOR encryption with a unique key for each string, each\r\nencrypted sequence of bytes will have the fist byte as the key. The malware first loads the encrypted strings onto\r\nthe stack then, it runs the decryption loop. This loop is being noticed in almost all the functions.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 7 of 36\n\nXOR Decryption\r\nHere is a very simple python function I wrote to help me decrypting the strings. This function takes the hex values\r\nas a string then it will decrypt it.\r\nimport binasciidef xor_decrypt(data): data = binascii.unhexlify(data) key = data[0] result = '' f\r\nreturn result\r\nDebugging Messages\r\nThis malware does something very cool which is printing what seems to be debugging messages to a hidden\r\nconsole window. For the malware to be stealthier as much as it could be, all the strings are obfuscated using the\r\nsame XOR encryption algorithm we discussed, after de-obfuscating all the strings and tracking them, analyzing\r\nthe sample has became much easier.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 8 of 36\n\nPrinting Debugging Messages\r\nGenerating And Storing the Decryption Keys\r\nThe malware uses two algorithms for the encryption which are RSA and AES.\r\nGet Amged Wageh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 9 of 36\n\nFirstly, The malware will generate an RSA session key pair then, it will encrypt the private key using a hard-coded\r\npublic key then, it stores the encrypted key in the SOFTWARE\\LockBit\\full registry key and the public key will be\r\nstored in SOFTWARE\\LockBit\\Public\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nCreating The SOFTWARE\\LockBit Reg. Key\r\nThe malware will randomly generate a new AES key for each file. Once it’s being used for encrypting the file, the\r\nAES key will be encrypted using the RSA public session key and appended to the end of the encrypted file. The\r\ndebugging messages that we mentioned earlier have made it easy to detect the function that will generate the\r\nsession keys as the de-obfuscated string says “ Generating session keys”!\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 10 of 36\n\nSession Keys Generation\r\nThe following snippets show the keys storing and querying.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nQuerying The Keys\r\nFor generating the random numbers, LockBit will use LoadLibraryA and GetProcAddress to dynamically load\r\nbcrypt.dll for importing the BCryptGenRandom API for generating 32 bytes of random numbers, and if it\r\ncouldn’t load the necessary libraries, it’ll call CryptAcquireContextW and CryptGenRandom to get the job done.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 11 of 36\n\nGenerating Random Numbers\r\nUtilizing IOCP (Completion I/O ports)\r\nAs we mentioned earlier, LockBit has been technically evolved, one of the technical aspects is using the Windows\r\nI/O Completion ports mechanism for providing an efficient threading model for processing multiple asynchronous\r\nI/O requests on a multiprocessor system.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 12 of 36\n\nCreating Completion I/O Ports\r\nThe malware has each function of its behavior separated in a subroutine, it creates an I/O completion port by\r\ncalling CreateIoCompletionPort then, it will enter a loop to create a bunch of threads by calling either one of the\r\nundocumented and more stealthier following APIs NtCreateThreadEx or RtlCreateUserThread and it will set\r\nthe entry point of each thread to one of the subroutines. After that, NtSetInformationThread will be called for\r\nsetting the thread priority for each created thread.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 13 of 36\n\nThreads Creation\r\nPrivilege Escalation\r\nFirstly, LockBit checks its privileges by getting the process token by calling NtOpenProcessToken then, it queries\r\nthat token via NtQueryInformationToken after that, it creates a user security identifier (SID) that matches the\r\nadministrator group by passing WinBuiltinAdministratorsSid to CreateWellKnownSid . Finally, it calls\r\nCheckTokenMembership to check whether the current process privileges include the Administrator privileges or\r\nnot.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 14 of 36\n\nChecking Privileges\r\nIf it doesn’t include the Administrator privileges, LockBit will perform a UAC bypassing by calling a windows\r\nCOM objects that can auto-elevate, and for masquerading, LockBit implements a publicly available function\r\ncalled supMasqueradeProcess which allows the malware to conceal its process information by injecting into a\r\nprocess that runs in a trusted directory, it choose explorer.exe to be its target.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 15 of 36\n\nsupMasqueradeProcess Implementation\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 16 of 36\n\nFor the actual UAC bypassing, LockBit will call CoGetObject with the following CLSIDs:\r\nUCMLuaUtil: {3E5FC7F9–9A51–4367–9063-A120244FBEC7}\r\nIColoDataProxy: {D2E7041B-2927–42fb-8E9F-7CE93B6DC937}\r\nCalling CoGetObject\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 17 of 36\n\nPress enter or click to view image in full size\r\nQuerying The CLSIDs and Creating The dllhost.exe procsses\r\nKilling Processes\r\nLockBit calls CreateToolhelp32Snapshot for getting a snapshot of the running processes then, it uses\r\nProcess32First and Process32Next to enumerate the snapshot. For each process, it’ll compare its name\r\nagainst a list of a process, and if it matches, it well pass the process handle that it got by calling OpenProcess to\r\nTerminateProcess to terminate the process. The list of the processes was also encrypted using XOR .\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 18 of 36\n\nProcess Termination\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 19 of 36\n\nProcess Names After Being Decrypted In Memory\r\nAnd here is a list of the process that will be terminated if exists:\r\nwxServer\r\nwxServerView\r\nsqlmangr\r\nRAgui\r\nsupervise\r\nCulture\r\nDefwatch\r\nwinword\r\nQBW32\r\nQBDBMgr\r\nqbupdate\r\naxlbridge\r\nhttpd\r\nfdlauncher\r\nMsDtSrvr\r\njava\r\n360se\r\n360doctor\r\nwdswfsafe\r\nfdhost\r\nGDscan\r\nZhuDongFangYu\r\nQBDBMgrN\r\nmysqld\r\nAutodeskDesktopApp\r\nacwebbrowser\r\nCreative Cloud\r\nAdobe Desktop Service\r\nCoreSync\r\nAdobe CEF Helper\r\nnode\r\nAdobeIPCBroker\r\nsync-taskbar\r\nsync-worker\r\nInputPersonalization\r\nAdobeCollabSync\r\nBrCtrlCntr\r\nBrCcUxSys\r\nSimplyConnectionManager\r\nSimply.SystemTrayIcon\r\nfbguard\r\nfbserver\r\nONENOTEM\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 20 of 36\n\nwsa_service\r\nkoaly-exp-engine-service\r\nTeamViewer_Service\r\nTeamViewer\r\ntv_w32\r\ntv_x64\r\nTitanV\r\nSsms\r\nnotepad\r\nRdrCEF\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nwordpad\r\nbedbh\r\nvxmon\r\nbenetns\r\nbengien\r\npvlsvr\r\nbeserver\r\nraw_agent_svc\r\nvsnapvss\r\nCagService\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 21 of 36\n\nDellSystemDetect\r\nEnterpriseClient\r\nVeeamDeploymentSvc\r\nStopping Services\r\nLockBit has a list of services that will try to stop by calling OpenSCManagerA to establish a connection to the\r\nservice control manager on the local computer\r\nthen, it loops over a list of predefined services passing each service to OpenServiceA to check the existent of that\r\nservice, if the service exists, it’ll check its status by calling QueryServiceStatusEx and it will call\r\nControlService with the parameter 0x00000001:\r\nSERVICE_CONTROL_STOP to stop the service. In order to not cause any crashes to the system, LockBit will stop all\r\nthe dependent services by calling EnumDependentServicesA before stopping the target service. Those services are\r\nmostly backup services, anti-virus services, and other services that may lock some files due to having handles to\r\nthem.\r\nStopping Some Services\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 22 of 36\n\nServices Names After Being Decrypted In Memory\r\nHere is a list of the services that LockBit tries to stop:\r\nwrapper\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nSqlservr\r\nsqlagent\r\nsqladhlp\r\nCulserver\r\nRTVscan\r\nsqlbrowser\r\nSQLADHLP\r\nQBIDPService\r\nIntuit.QuickBooks.FCS\r\nQBCFMonitorService\r\nsqlwriter\r\nmsmdsrv\r\ntomcat6\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 23 of 36\n\nzhudongfangyu\r\nvmware-usbarbitator64\r\nvmware-converter\r\ndbsrv12\r\ndbeng8\r\nMSSQL$MICROSOFT##WID\r\nMSSQL$VEEAMSQL2012\r\nSQLAgent$VEEAMSQL2012\r\nSQLBrowser\r\nSQLWriter\r\nFishbowlMySQL\r\nMSSQL$MICROSOFT##WID\r\nMySQL57\r\nMSSQL$KAV_CS_ADMIN_KIT\r\nMSSQLServerADHelper100\r\nSQLAgent$KAV_CS_ADMIN_KIT\r\nmsftesql-Exchange\r\nMSSQL$MICROSOFT##SSEE\r\nMSSQL$SBSMONITORING\r\nMSSQL$SHAREPOINT\r\nMSSQLFDLauncher$SBSMONITORING\r\nMSSQLFDLauncher$SHAREPOINT\r\nSQLAgent$SBSMONITORING\r\nSQLAgent$SHAREPOINT\r\nQBFCService\r\nQBVSS\r\nYooBackup\r\nYooIT\r\nsvc$\r\nMSSQL\r\nMSSQL$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\nbedbg\r\nPDVFSService\r\nBackupExecVSSProvider\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nMVArmor\r\nMVarmor64\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 24 of 36\n\nstc_raw_agent\r\nVSNAPVSS\r\nVeeamTransportSvc\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nAcronisAgent\r\nARSM\r\nAcrSch2Svc\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nWSBExchange\r\nMSExchange\r\nMSExchange$\r\nExcluding Files And Directories\r\nTo avoid any system crashes and to make sure that the system has functional browsers for connection and\r\nnegotiation, besides avoiding entering an infinite loop of encrypting the already encrypted files and not to encrypt\r\nthe ransom-notes, LockBit has a list of files, folders, and extensions exclusions.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 25 of 36\n\nA List Of Exclusions\r\nHere is the list of exclusions:\r\nwindows\r\nintel\r\nrecycle.bin\r\ntor browser\r\nwindowsnt\r\nmsbuild\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 26 of 36\n\nmicrosoft\r\nall users\r\nsystem volume information\r\nperflogs\r\ngoogle\r\nappdata\r\nmozilla\r\nmicrosoft .net\r\nmicrosoft shared\r\ninternet explorer\r\ncommon files\r\nopera intel\r\nwindows journal\r\nntldr\r\nntuser.dat.log\r\nbootsec.bak\r\nautorun.inf\r\nthumbs.db\r\niconcahce.db\r\nrestore-my-files.txt\r\n.386\r\n.cmd\r\n.ani\r\n.adv\r\n.theme\r\n.msi\r\n.msp\r\n.com\r\n.diagpkg\r\n.nls\r\n.diagcab\r\n.lock\r\n.mpa\r\n.cpl\r\n.mod\r\n.hta\r\n.icns\r\n.prf\r\n.rtp\r\n.diagcfg\r\n.msstyles\r\n.bin\r\n.hlp\r\n.shs\r\n.drv\r\n.wpx\r\n.bat\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 27 of 36\n\n.rom\r\n.msc\r\n.spl\r\n.ps1\r\n.msu\r\n.ics\r\n.key\r\n.exe\r\n.dll\r\n.lnk\r\n.ico\r\n.hlp\r\n.sys\r\n.idx\r\n.ini\r\n.reg\r\n.mp3\r\n.lockbit\r\nMutex Creation\r\nFor avoiding multiple infection on the same host, LockBit creates the following mutex Global\\{BEF590BE-11A6–\r\n442A-A85B-656C1081E04C} . Firstly, it will try to open that mutex by calling OpenMutexA , if it succeeds, which\r\nmeans that host is already infected, it will exit the process, otherwise, it’ll call CreateMutexA for creating the\r\nmutex then, it’ll proceed with the rest of the malware functionality.\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 28 of 36\n\nMutex Creation\r\nPress enter or click to view image in full size\r\nPersistence\r\nIn order to maintain a persistence and to service reboots, LockBit creates the following registry key\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVaersion\\Run\\XO1XADpO01 with a value of it’s path on disk.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 29 of 36\n\nMaintaining Persistence\r\nPress enter or click to view image in full size\r\nAfter Decrypting The Key In Memory\r\nShutdown Prevention\r\nIn order to ensure that the encryption operation didn’t get disrupted even by shutting the system down, LockBit\r\nwill create a shutdown block reason by calling ShutdownBlockReasonCreate .\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 30 of 36\n\nCreating Shutdown Block Reason\r\nNetwrok Enumeration\r\nIn order to ensure infecting as many victims as possible, LockBit scans the attached drivers and network shares\r\nand when it finds files that meets its previously discussed requirements, it’ll also encrypt those files.\r\nLockBit starts this function by calling GetLogicalDrives to git a bitmask representing the currently available\r\ndisk drivers then, it loops over them and passed them to GetDriveTypeW to determine the type of the driver\r\nwhether it is a removable, fixed, CD-ROM, RAM disk, or network drive, it specifically looking for 0x4:\r\nDRIVE_REMOTE . Once it finds a networked drive, it calls WNetGetConnectionW to retrieve the name of that network\r\nresource, then it will do a recursive calls to WNetOpenEnumW and WNetEnumResourceW enumerate the folders and\r\nfiles of that network resource.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 31 of 36\n\nNetwork Enumeration\r\nLockBit can also access the network shares that require user credentials by calling WNetAddConnection2W with\r\nlpUserName=0 and lpPassword=0 which automatically sends the username and password of the currently\r\nlogged in user.\r\nPress enter or click to view image in full size\r\nConnecting Over SMB\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 32 of 36\n\nConnecting To Shares With Creds.\r\nThe Ransom Note\r\nWhile LockBit is performing the encryption, it will drop a text file called Restore-My-Files.txt which is the\r\nransom-note.\r\nAll your important files are encrypted!\r\nAny attempts to restore your files with the thrid-party software will\r\nbe fatal for your files!\r\nRESTORE YOU DATA POSIBLE ONLY BUYING private key from us.\r\nThere is only one way to get your files back:\r\n| 1. Download Tor browser - https://www.torproject.org/ and install\r\nit.\r\n| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?\r\nA0C155001DD0CBxxxEDA0D\r\n This link only works in Tor Browser!\r\n| 3. Follow the instructions on this page\r\n ### Attention! ###\r\n # Do not rename encrypted files.\r\n # Do not try to decrypt using third party software, it may cause\r\npermanent data loss.\r\n # Decryption of your files with the help of third parties may cause\r\nincreased price(they add their fee to our).\r\n # Tor Browser may be blocked in your country or corporate network.\r\nUse https://bridges.torproject.org or use Tor Browser over VPN.\r\n # Tor Browser user manual https://tb-manual.torproject.org/about\r\n!!! We also download huge amount of your private data, including\r\nfinance information, clients personal info, network diagrams,\r\npasswords and so on.\r\nDon't forget about GDPR.\r\nThe content of this file is also encrypted and it has been decrypted in memory before writing the files.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 33 of 36\n\nThe Ransom-Note In Memory\r\nSelf Deleting\r\nAfter a successful execution, LockBit will delete its executable for reducing the artifacts it leaves on the infected\r\nsystem. In order to do that, it runs the following command C ping 1.1.1.1 -n 22 \u003e Nul \u0026 \\ \u003cthe path to the\r\nexecutable\u003e\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 34 of 36\n\nSelf Deleting\r\nInhibiting System Recovery\r\nAs almost all ransomware does, LockBit will delete the volume shadow copies, the backup catalog, disable\r\nautomatic windows recovery, and clear the windows logs as well by running the following commands.\r\n/c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit\r\n/set {default} recoveryenabled No \u0026 wbadmin delete catalog -quiet\r\n/c vssadmin Delete Shadows /All /Quiet\r\n/c bcdedit /set {default} recoveryenabled No\r\n/c bcdedit /set {default} bootstatuspolicy ignoreallfailures\r\n/c wbadmin DELETE SYSTEMSTATEBACKUP\r\n/c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\n/c wmic SHADOWCOPY /nointeractive\r\n/c wevtutil cl security\r\n/c wevtutil cl system\r\n/c wevtutil cl application\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 35 of 36\n\nAfter Decrypting The Commands In Memory\r\nPress enter or click to view image in full size\r\nBehavioral Analysis Artifacts Of The Executed Commands\r\nMitre TTPs\r\nThe following is a list of the most important MITRE ATT\u0026CK TTPs identified while analyzing the malware.\r\nMitre TTPs\r\nThanks for reading, your comments and feedback are most welcomed 🙂\r\nSource: https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nhttps://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511\r\nPage 36 of 36",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511"
	],
	"report_names": [
		"lockbit-ransomware-analysis-notes-93a542fc8511"
	],
	"threat_actors": [],
	"ts_created_at": 1775434121,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b670e1d071b0380ee825d762f18eb68c52b6b3b.pdf",
		"text": "https://archive.orkl.eu/5b670e1d071b0380ee825d762f18eb68c52b6b3b.txt",
		"img": "https://archive.orkl.eu/5b670e1d071b0380ee825d762f18eb68c52b6b3b.jpg"
	}
}