lockbit | 1c552cfcb8289796e1a561e204da74b519b9234f119fbb689759cab5ee2f2f89

Analysis

max time kernel
81s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee5aeaa59af63633353911bb152ec70N.exe
Size

144KB
MD5

5ee5aeaa59af63633353911bb152ec70
SHA1

510ae479e6f3f2c13fb5de6eb5d61dac820c1e50
SHA256

1c552cfcb8289796e1a561e204da74b519b9234f119fbb689759cab5ee2f2f89
SHA512

576eaf434415d12d409c1cbb1e86e48386c8aa4fd9a3c3a18249a468536798734f5fd4813ba29c6dc0a922dde430efee1381e2215442678e25cc3b4fb9122d9d
SSDEEP

3072:HZUxa2HP/u5usLQrlE22NpPMTBqSXrXiyQDo5J0H+fSMVSc8:HZUxdHu8s0rpq6qSX7KDGH9St

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_lockbit
behavioral1/memory/2932-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_lockbit

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2320	2932	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5ee5aeaa59af63633353911bb152ec70N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee5aeaa59af63633353911bb152ec70N.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5ee5aeaa59af63633353911bb152ec70N.exe

description	pid	Process	procid_target
PID 2932 wrote to memory of 2320	2932	5ee5aeaa59af63633353911bb152ec70N.exe	30
PID 2932 wrote to memory of 2320	2932	5ee5aeaa59af63633353911bb152ec70N.exe	30
PID 2932 wrote to memory of 2320	2932	5ee5aeaa59af63633353911bb152ec70N.exe	30
PID 2932 wrote to memory of 2320	2932	5ee5aeaa59af63633353911bb152ec70N.exe	30

C:\Users\Admin\AppData\Local\Temp\5ee5aeaa59af63633353911bb152ec70N.exe
"C:\Users\Admin\AppData\Local\Temp\5ee5aeaa59af63633353911bb152ec70N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 88
  2⤵
  - Program crash
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2932-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2932-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download