Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07/02/2023, 14:41
Behavioral task
behavioral1
Sample
c442383af4a3bb13538949702c54304c60167cd9dccf3cb2a356895572f161d9.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c442383af4a3bb13538949702c54304c60167cd9dccf3cb2a356895572f161d9.dll
Resource
win10v2004-20221111-en
General
-
Target
c442383af4a3bb13538949702c54304c60167cd9dccf3cb2a356895572f161d9.dll
-
Size
148KB
-
MD5
8aa31303568c6cff3e3759cc08f548ac
-
SHA1
5cf23b5b264a2c7302a2b6e9b3cf92897fcb61a8
-
SHA256
c442383af4a3bb13538949702c54304c60167cd9dccf3cb2a356895572f161d9
-
SHA512
1d6301f5d953ede442c0d8db0efe4a0fc27b5291706b5baff656c2ec94c33e3ddc41435671578d4f3799a5160e9ce239dfe3f8841026140e2995749e4008f4a4
-
SSDEEP
3072:gYlD/mN2iSGcSq9t//E/KFoQzW2P6nLxWKGwzqEt/I45a6ohMPS3mpDvDWAWyBPr:gYJ/O3ST9xPt62PaIwjw45joSpD7qUr
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/864-56-0x0000000010000000-0x0000000010029000-memory.dmp family_lockbit -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 944 wrote to memory of 864 944 rundll32.exe 28 PID 944 wrote to memory of 864 944 rundll32.exe 28 PID 944 wrote to memory of 864 944 rundll32.exe 28 PID 944 wrote to memory of 864 944 rundll32.exe 28 PID 944 wrote to memory of 864 944 rundll32.exe 28 PID 944 wrote to memory of 864 944 rundll32.exe 28 PID 944 wrote to memory of 864 944 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c442383af4a3bb13538949702c54304c60167cd9dccf3cb2a356895572f161d9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c442383af4a3bb13538949702c54304c60167cd9dccf3cb2a356895572f161d9.dll,#12⤵PID:864
-