Analysis
-
max time kernel
89s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 16:42
Behavioral task
behavioral1
Sample
1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe
Resource
win11-20240221-en
General
-
Target
1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe
-
Size
155KB
-
MD5
7f58f9289043b2a83499feccfb99d540
-
SHA1
e56759e391b3c03d2ef739cf3cf12b9b694aeade
-
SHA256
1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567
-
SHA512
37b49d90e1f6fc9faa3f2838a2b0271de673561f4a131d78f7f450c592ea05e21683752ad208ced5a21757a209e7c9610f886f5fc7ebb9ab83f33806fd885e79
-
SSDEEP
3072:2np35jXFxXHcJhKq5mPyhOw7DZcdIP1MRg0h9VE534dZ0gYHBjDDd:2zjF+Jx5mSlRcdISR9Va34H0D5DDd
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1776-0-0x0000000000400000-0x000000000042A000-memory.dmp family_lockbit behavioral1/memory/1776-1-0x0000000000400000-0x000000000042A000-memory.dmp family_lockbit -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2956 1776 WerFault.exe 1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exedescription pid process target process PID 1776 wrote to memory of 2956 1776 1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe WerFault.exe PID 1776 wrote to memory of 2956 1776 1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe WerFault.exe PID 1776 wrote to memory of 2956 1776 1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe WerFault.exe PID 1776 wrote to memory of 2956 1776 1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe"C:\Users\Admin\AppData\Local\Temp\1866b28b51045944df18e63c9a5989afe985e30ff1944db6544ca76b32235567.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 882⤵
- Program crash
PID:2956
-