Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:07
Static task
static1
Behavioral task
behavioral1
Sample
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll
Resource
win10v2004-20240226-en
General
-
Target
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll
-
Size
113KB
-
MD5
44a19bd034e150b21084da75ad65ef0c
-
SHA1
72666d6482fded7e524591a2bd61bb14494560a2
-
SHA256
1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518
-
SHA512
e9801d9386ec3cc0a8086a790e8586847f180c1562d1ddcee06307edd44e2267a98018f2b51add2c9136af949da59aa9def76b49b66e6e4235d69d1b9246b99c
-
SSDEEP
1536:+zICS4Az7zr5gUke9jyAa1d0obdsx1R4hRltKHvkT9SDFSDevAwxOOr:l1735ZzNwX0obdi3gJKvkBShSDaAHO
Malware Config
Extracted
C:\Users\ndVkYtjAf.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
rundll32.exepid process 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
rundll32.exepid process 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeDebugPrivilege 4148 rundll32.exe Token: 36 4148 rundll32.exe Token: SeImpersonatePrivilege 4148 rundll32.exe Token: SeIncBasePriorityPrivilege 4148 rundll32.exe Token: SeIncreaseQuotaPrivilege 4148 rundll32.exe Token: 33 4148 rundll32.exe Token: SeManageVolumePrivilege 4148 rundll32.exe Token: SeProfSingleProcessPrivilege 4148 rundll32.exe Token: SeRestorePrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSystemProfilePrivilege 4148 rundll32.exe Token: SeTakeOwnershipPrivilege 4148 rundll32.exe Token: SeShutdownPrivilege 4148 rundll32.exe Token: SeDebugPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 4148 rundll32.exe Token: SeBackupPrivilege 4148 rundll32.exe Token: SeDebugPrivilege 4148 rundll32.exe Token: 36 4148 rundll32.exe Token: SeImpersonatePrivilege 4148 rundll32.exe Token: SeIncBasePriorityPrivilege 4148 rundll32.exe Token: SeIncreaseQuotaPrivilege 4148 rundll32.exe Token: 33 4148 rundll32.exe Token: SeManageVolumePrivilege 4148 rundll32.exe Token: SeProfSingleProcessPrivilege 4148 rundll32.exe Token: SeRestorePrivilege 4148 rundll32.exe Token: SeSecurityPrivilege 4148 rundll32.exe Token: SeSystemProfilePrivilege 4148 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1408 wrote to memory of 4148 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 4148 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 4148 1408 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e10e08cdaa10e1c490dcfe4773f1a72183d340f880d19e89a54965c37aa3518.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5fcf663a3d65220f447d7f71736c1da6b
SHA1a228033f688c719c77ded0eceb3600d49fc07c09
SHA256f37d783c7a54ac8e05b17c601d28f8941ab26354c583d45a008d256d9031192b
SHA512d3eb447ca020522830a73c501794ed2af72ba25d574d987a7f104fb856c0c14dcb007da33c66526d3ae678dc6fdf6a3272fd22a08ccb663ddba15fce3fda6a9f