Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 03:47
Behavioral task
behavioral1
Sample
Lockbit2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Lockbit2.exe
Resource
win10v2004-20240802-en
General
-
Target
Lockbit2.exe
-
Size
143KB
-
MD5
d2725bca9cff007555bacf2ec998f453
-
SHA1
87b8918e94d44cab2ba113f5f9fba21279b4a8ef
-
SHA256
b49c2214a192f777060c812e5e9ac678d19919e8f21fe3e4ed62c85ecc9040e8
-
SHA512
8ad66283d073b9a53e4b80f0ba5795954920006e65d2774f47829620fee5f11f664c7d467b8a2f234c98a584b7d8206fee22b570dcb1610a695013d7d603bb25
-
SSDEEP
3072:4w2vENKK7DzwxJfkID9ek8c4RyJuq1DVedjqi7DKXIlu0NT8ZmDProa7W:wvzK7DaawkRyJH4djl7DKXIpKmDPkaK
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/1364-0-0x0000000000400000-0x0000000000427000-memory.dmp family_lockbit -
Program crash 1 IoCs
pid pid_target Process procid_target 2700 1364 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lockbit2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2700 1364 Lockbit2.exe 30 PID 1364 wrote to memory of 2700 1364 Lockbit2.exe 30 PID 1364 wrote to memory of 2700 1364 Lockbit2.exe 30 PID 1364 wrote to memory of 2700 1364 Lockbit2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lockbit2.exe"C:\Users\Admin\AppData\Local\Temp\Lockbit2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 882⤵
- Program crash
PID:2700
-