Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/02/2023, 14:41
Behavioral task
behavioral1
Sample
150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe
Resource
win10v2004-20221111-en
General
-
Target
150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe
-
Size
149KB
-
MD5
dca8fa45c2448fe71106f16b30cb4c22
-
SHA1
07869763d4033ac550aab09c7eb5c40e136428f5
-
SHA256
150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d
-
SHA512
1c4f489ec881dd00d5552275f4c4c5e69d77d7ea661d7f06624c451d3c253c41e8ae7ec2b76bb5c97fe3982320de26a5a069e6f9aca2ed6bffa5ef5b75fd4661
-
SSDEEP
3072:AxH3lP061yNzY0Qqnq9PpX7NWGGiXyzZLmMD6qf5+fTtTi/an2UnF3G1nkd:E3lP03Rq95hxUTDDf54TtT2a2kG1kd
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/364-55-0x0000000000400000-0x0000000000429000-memory.dmp family_lockbit -
Program crash 1 IoCs
pid pid_target Process procid_target 908 364 WerFault.exe 26 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 364 wrote to memory of 908 364 150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe 27 PID 364 wrote to memory of 908 364 150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe 27 PID 364 wrote to memory of 908 364 150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe 27 PID 364 wrote to memory of 908 364 150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe"C:\Users\Admin\AppData\Local\Temp\150484a1e19c17e3d2546c2094b06bd27d2b1680ce4df68f9f129eb34bd1478d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 882⤵
- Program crash
PID:908
-