Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:07
Static task
static1
Behavioral task
behavioral1
Sample
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll
Resource
win10v2004-20240226-en
General
-
Target
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll
-
Size
113KB
-
MD5
44a19bd034e150b21084da75ad65ef0c
-
SHA1
72666d6482fded7e524591a2bd61bb14494560a2
-
SHA256
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518
-
SHA512
e9801d9386ec3cc0a8086a790e8586847f180c1562d1ddcee06307edd44e2267a98018f2b51add2c9136af949da59aa9def76b49b66e6e4235d69d1b9246b99c
-
SSDEEP
1536:+zICS4Az7zr5gUke9jyAa1d0obdsx1R4hRltKHvkT9SDFSDevAwxOOr:l1735ZzNwX0obdi3gJKvkBShSDaAHO
Malware Config
Extracted
C:\Users\ndVkYtjAf.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Executes dropped EXE 1 IoCs
Processes:
BB4.tmppid process 1392 BB4.tmp -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1780 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
rundll32.exeBB4.tmppid process 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1392 BB4.tmp 1780 rundll32.exe 1392 BB4.tmp 1392 BB4.tmp 1392 BB4.tmp 1392 BB4.tmp 1392 BB4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
rundll32.exepid process 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe 1780 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeDebugPrivilege 1780 rundll32.exe Token: 36 1780 rundll32.exe Token: SeImpersonatePrivilege 1780 rundll32.exe Token: SeIncBasePriorityPrivilege 1780 rundll32.exe Token: SeIncreaseQuotaPrivilege 1780 rundll32.exe Token: 33 1780 rundll32.exe Token: SeManageVolumePrivilege 1780 rundll32.exe Token: SeProfSingleProcessPrivilege 1780 rundll32.exe Token: SeRestorePrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSystemProfilePrivilege 1780 rundll32.exe Token: SeTakeOwnershipPrivilege 1780 rundll32.exe Token: SeShutdownPrivilege 1780 rundll32.exe Token: SeDebugPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeBackupPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe Token: SeSecurityPrivilege 1780 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exeBB4.tmpdescription pid process target process PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 1780 2196 rundll32.exe rundll32.exe PID 1780 wrote to memory of 1392 1780 rundll32.exe BB4.tmp PID 1780 wrote to memory of 1392 1780 rundll32.exe BB4.tmp PID 1780 wrote to memory of 1392 1780 rundll32.exe BB4.tmp PID 1780 wrote to memory of 1392 1780 rundll32.exe BB4.tmp PID 1780 wrote to memory of 1392 1780 rundll32.exe BB4.tmp PID 1392 wrote to memory of 2324 1392 BB4.tmp cmd.exe PID 1392 wrote to memory of 2324 1392 BB4.tmp cmd.exe PID 1392 wrote to memory of 2324 1392 BB4.tmp cmd.exe PID 1392 wrote to memory of 2324 1392 BB4.tmp cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll,#12⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\ProgramData\BB4.tmp"C:\ProgramData\BB4.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BB4.tmp >> NUL4⤵PID:2324
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5fca975e2563293f289d47a8c9fe897af
SHA109de20439fbf20d936baa6ac0cebccbf34ef87cf
SHA256301600771cf58007cab8b74a95c4c5549f18e4cf86cf332b0545bfa4cae9e5aa
SHA5120b3c9882465e879ac55a621189f5597051cde4658126be290f7fd0ac274b9a5f9fe362866f485298ca6743e32a50c39f9a68b6af05363987c3513dd7a67c4c7c
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf