Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 13:35
Static task
static1
Behavioral task
behavioral1
Sample
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll
Resource
win10v2004-20240508-en
General
-
Target
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll
-
Size
309KB
-
MD5
2ba13939bb7b14586052e73f4c81efb4
-
SHA1
e2c9db7071cc5f1fcb4e9a55c4723d3e735fbc6a
-
SHA256
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18
-
SHA512
6c1e9b44e94fbc9c2cdd12a691f9ca18b31ad46cb94cd5bf12b15d0df374db7874a9bc8642b750f7f94e9d4e078dca4dd03235f5772c3d440b44de74463c77cc
-
SSDEEP
6144:qCj61q03fA/yyjyjFwtS4Y52nWzDv6Lyt01St7nEpFJb2j9J:+YbWqttqTM20wRwF52z
Malware Config
Extracted
C:\Users\AKEVizErI.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (326) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
2A2C.tmp2AD9.tmppid Process 1132 2A2C.tmp 764 2AD9.tmp -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 2592 rundll32.exe 2592 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AKEVizErI.bmp" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AKEVizErI.bmp" rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
rundll32.exe2A2C.tmp2AD9.tmppid Process 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 1132 2A2C.tmp 2592 rundll32.exe 764 2AD9.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "10" rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon\ = "C:\\ProgramData\\AKEVizErI.ico" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI\ = "AKEVizErI" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
rundll32.exepid Process 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeDebugPrivilege 2592 rundll32.exe Token: 36 2592 rundll32.exe Token: SeImpersonatePrivilege 2592 rundll32.exe Token: SeIncBasePriorityPrivilege 2592 rundll32.exe Token: SeIncreaseQuotaPrivilege 2592 rundll32.exe Token: 33 2592 rundll32.exe Token: SeManageVolumePrivilege 2592 rundll32.exe Token: SeProfSingleProcessPrivilege 2592 rundll32.exe Token: SeRestorePrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSystemProfilePrivilege 2592 rundll32.exe Token: SeTakeOwnershipPrivilege 2592 rundll32.exe Token: SeShutdownPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeDebugPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeBackupPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe Token: SeSecurityPrivilege 2592 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
rundll32.exerundll32.exe2AD9.tmpdescription pid Process procid_target PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 836 wrote to memory of 2592 836 rundll32.exe 28 PID 2592 wrote to memory of 1132 2592 rundll32.exe 31 PID 2592 wrote to memory of 1132 2592 rundll32.exe 31 PID 2592 wrote to memory of 1132 2592 rundll32.exe 31 PID 2592 wrote to memory of 1132 2592 rundll32.exe 31 PID 2592 wrote to memory of 1132 2592 rundll32.exe 31 PID 2592 wrote to memory of 764 2592 rundll32.exe 32 PID 2592 wrote to memory of 764 2592 rundll32.exe 32 PID 2592 wrote to memory of 764 2592 rundll32.exe 32 PID 2592 wrote to memory of 764 2592 rundll32.exe 32 PID 2592 wrote to memory of 764 2592 rundll32.exe 32 PID 764 wrote to memory of 300 764 2AD9.tmp 33 PID 764 wrote to memory of 300 764 2AD9.tmp 33 PID 764 wrote to memory of 300 764 2AD9.tmp 33 PID 764 wrote to memory of 300 764 2AD9.tmp 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll,#12⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\ProgramData\2A2C.tmp"C:\ProgramData\2A2C.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1132
-
-
C:\ProgramData\2AD9.tmp"C:\ProgramData\2AD9.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2AD9.tmp >> NUL4⤵PID:300
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:1776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5e3b5bd3bbda74725923b818516987ce2
SHA13d11acfbdf3a7135ee90418694bab7e8cae6b868
SHA256113a29c2600b4d4717c1156b4a1159af5ee18abb8d7a1edc98867afeca1180f9
SHA51204fee0331aeff74df8a0b9920886503f8516d6dad55de2fb522d9aba9148a8bd6789f0cc7b6f891f15086ed3268df35c78940b5be9f4b467e36bae2408a7ae00
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf