Ransomware: LockBit

Question

I can't figure out what question 7 is looking for as the answer. I ensured I was looking at logs with an EventType of SetValue, I ensured it was LockBit.exe doing the event, but nothing I've tried from that works for the answer. Either I'm querying something wrong, or

arthurdent · Answer

Nevermind. Figured it out by looking at all the Type 13 logs.

andrea · Answer

What was the answer, I am struggling to figure this out?

arthurdent · Answer

It's asking for the first change, so you need to sort the events - the _time field only goes down to the second so there are a whole lot of events in the same second; the UtcTime is more precise - sort on that and get the first one. It just wants the channel name by itself.&nbsp;

andrea · Answer

Thanks, I was able to finally figure it out.&nbsp;

Forum Discussion

Ransomware: LockBit

4 Replies

Featured Places

Help

Related Content

Ransomware: Darkside - Question 9

Ransomware: Darkside - Question 8

Ransomware: Annabelle Entry Point

Ransomware: Bad Rabbit - Registry key

Ransomware: Snake

Recent Discussions

APT34: Glimpse - Question 4

Hafnium: ProxyLogon (Offensive) - Question 3

Hafnium: ProxyLogon (Offensive) - Question 3

Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 3

Threat Actors: Mint Sandstorm – Campaign Analysis - Question 9