Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:23
Behavioral task
behavioral1
Sample
e2a0224a81cf7c568679c751a6e540db172c2310d52ca314000ba97b7dfe3870.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e2a0224a81cf7c568679c751a6e540db172c2310d52ca314000ba97b7dfe3870.dll
Resource
win10v2004-20240226-en
General
-
Target
e2a0224a81cf7c568679c751a6e540db172c2310d52ca314000ba97b7dfe3870.dll
-
Size
145KB
-
MD5
fb46847a33786db349831ceb51fb21b5
-
SHA1
d9b48df493ef818ccf5702cea307e51466b758f0
-
SHA256
e2a0224a81cf7c568679c751a6e540db172c2310d52ca314000ba97b7dfe3870
-
SHA512
ea4c68acbce42f56c6453792c60d6b67def143f8a51110f80e0a68d7d424fdce2147023248e46fceaae8107f4a1aed64a711a04e3e10c9347aeaa305de025602
-
SSDEEP
3072:sJ86CimiAMXacFU7z8pLB62KqQ57fhSCWFyFpJE4g+DzWfNz6tmZff6bevFIw2:UVCtyTOUapR3qSaF+tmZlvt2
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-0-0x0000000010000000-0x0000000010028000-memory.dmp family_lockbit -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1292 2040 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2a0224a81cf7c568679c751a6e540db172c2310d52ca314000ba97b7dfe3870.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2a0224a81cf7c568679c751a6e540db172c2310d52ca314000ba97b7dfe3870.dll,#12⤵PID:1292