Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 07:39
Static task
static1
Behavioral task
behavioral1
Sample
c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe
Resource
win10v2004-20240508-en
General
-
Target
c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe
-
Size
352KB
-
MD5
ca18cbeb14b511e2a0ed10fd1d525941
-
SHA1
5ab566b16ffbc56feeb059541ad8145a3bc6dd63
-
SHA256
c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590
-
SHA512
b2e71227d5c100815d56974ff2c861f898c161aeca14e78409902fef7e11832da742433bcfa19debbe2577f07abda2508a334144db1fc47e37281e87fae32c31
-
SSDEEP
6144:COAHKX0LfgPQ3/zCBJyymj/q7sO9Tjuacclkm10URHAeC8e3ciX87vW4kF:CZ5gPw/6kX/0N6acIbxZze3cr7u9F
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-6-0x0000000000400000-0x0000000000444000-memory.dmp family_lockbit behavioral1/memory/2044-1-0x0000000000400000-0x0000000000444000-memory.dmp family_lockbit behavioral1/memory/2044-3-0x0000000000400000-0x0000000000444000-memory.dmp family_lockbit -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2340 2044 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exedescription pid Process procid_target PID 2044 wrote to memory of 2340 2044 c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe 30 PID 2044 wrote to memory of 2340 2044 c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe 30 PID 2044 wrote to memory of 2340 2044 c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe 30 PID 2044 wrote to memory of 2340 2044 c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe"C:\Users\Admin\AppData\Local\Temp\c7a734bc1dd8ecb996fc1b50f2133b3f281b16e2a25dbb445c3f065b88bf9590.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1002⤵
- Program crash
PID:2340
-