Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 17:58
Behavioral task
behavioral1
Sample
Lockbit 3 Builder.7z
Resource
win7-20240705-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Lockbit 3 Builder.7z
Resource
win10v2004-20240704-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
Lockbit 3 Builder.7z
-
Size
139KB
-
MD5
c9c2f3805f0012628e9d62e8f75af4dd
-
SHA1
b6269b1fc8813b93c11ec6066dc33d9f99f2e431
-
SHA256
b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10
-
SHA512
ed4cb425807bbef4da92fe9e17b78746e096612e6006521279162379b2fc65f8dec7647e9c5403c6a74e6eb9b61dce7ca1c74c65d77aafbd0719be79cb1d70ff
-
SSDEEP
3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2612 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2612 3008 cmd.exe 31 PID 3008 wrote to memory of 2612 3008 cmd.exe 31 PID 3008 wrote to memory of 2612 3008 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Lockbit 3 Builder.7z"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lockbit 3 Builder.7z2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2612
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2820