Back in Black: Unlocking a LockBit 3.0 Ransomware Attack

Event ID1525
UUID095c4227-2a9e-45da-9268-cec186be53b1 
Creator orgCUDESO
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagstlp:whitex   
Date2022-08-21
Threat LevelHigh
AnalysisCompleted
DistributionAll communities   
PublishedYes 2022-08-23 08:13:20
#Attributes14 (1 Object)
First recorded change2022-08-21 17:55:30
Last change2022-08-21 18:03:12
Modification map
Sightings0 (0) – restricted to own organisation only.  

Related Feeds (show)

Top of Form

Bottom of Form

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

1525: Back in Black: Unlocking a LockBit 3.0 Ransomware Attack

Galaxies

Ransomware 

  •  LockBit   

Tool 

  •  BloodHound – S0521   

Enterprise Attack – Tool 

  •  Cobalt Strike – S0154   

Attack Pattern 

  •  PowerShell – T1059.001   
  •  Windows Command Shell – T1059.003   
  •  Drive-by Compromise – T1189   
  •  Service Execution – T1569.002   

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-08-21Object name: file 

References: 
Inherit 
2022-08-21Payload deliveryfilename: filename%ALLUSERSPROFILE%\123.bat    Batch script to tamper with security software and services  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliverysha1: sha1d826a846cb7d8de539f47691fe2234f0fc6b4fa0       Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%ALLUSERSPROFILE%\VGAuthService\VGAuthService.dll    Cobalt Strike beacon deployed by SocGholish  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%WINDIR%\zz.exe    Ransomware Executable  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%ALLUSERSPROFILE%\zz.exe    Ransomware Executable  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename\Desktop\zzz.exe    Ransomware Executable  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename\appdata\local\megasync\megasync.exe    Mega sync software  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%ALLUSERSPROFILE%\PsExec.exe    PsExec  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%ALLUSERSPROFILE%\svchost.dll    Cobalt Strike beacons  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%ALLUSERSPROFILE%\conhost.dll    Cobalt Strike beacons  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Payload deliveryfilename%ALLUSERSPROFILE%\svchost1.dll    Cobalt Strike beacons  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Network activityip-dst194.26.29.13     Cobalt Strike C2 server  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21Network activitydomainorangebronze.com     Cobalt Strike C2 server  Top of Form Bottom of FormInherit   (0/0/0)         
2022-08-21External analysislinkhttps://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/      Top of Form Bottom of FormInherit   (0/0/0)