b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10

Resubmissions

08-07-2024 18:01

240708-wl5ffsterh 10

08-07-2024 17:58

240708-wj81vs1dpq 10

Analysis

max time kernel
16s
max time network
19s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lockbit 3 Builder.7z
Size

139KB
MD5

c9c2f3805f0012628e9d62e8f75af4dd
SHA1

b6269b1fc8813b93c11ec6066dc33d9f99f2e431
SHA256

b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10
SHA512

ed4cb425807bbef4da92fe9e17b78746e096612e6006521279162379b2fc65f8dec7647e9c5403c6a74e6eb9b61dce7ca1c74c65d77aafbd0719be79cb1d70ff
SSDEEP

3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

2612 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe

pid	process
2612	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 2612	3008	cmd.exe	rundll32.exe
PID 3008 wrote to memory of 2612	3008	cmd.exe	rundll32.exe
PID 3008 wrote to memory of 2612	3008	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lockbit 3 Builder.7z"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lockbit 3 Builder.7z
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2612

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads