Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Category Details References
Actors    
First Observed July 2022 1
Threat Actors LockBit Black 1
Environment    
Platforms Windows 2
Artifacts    
Extensions HLJkNskOq, futRjC7nx 3
Ransomware Notes Desktop Wallpaper, HLJkNskOq.Readme.txt or futRjC7nx.Readme.txt 2
Services it Disables Terminates a list of services with specific names like backup GxBlr, GxCIMgr,GxCVD, GxFWD, GxVss, memtas, mepocs, msexchange, sophos, sql, svc$, veeam, vs, etc.. 2
Other Observables Execution of a batch named 123.bat for disabling the Windows Defender and tampering the Windows Event Logs 2
4
Automation    
Automatically Gains Access No  
Automatically Escalates Privileges Yes (bypassing user account control (UAC), duplicating the Explorer.exe token for its own use and performing a 32-bit or 64-bit shellcode injection to elevate its token) 3
Requires Human Interaction No  
Automatic Exfiltration No. Adversaries obersved spreading ransomware within the environment with psexec 1
Automatic Propagation No. Adversaries observed exfiltrating sensitive information via MegaSync 1

Please note, this page was last updated at 2023-03-14 20:21.