Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 03:47
Behavioral task
behavioral1
Sample
Lockbit2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Lockbit2.exe
Resource
win10v2004-20240802-en
General
-
Target
Lockbit2.exe
-
Size
143KB
-
MD5
d2725bca9cff007555bacf2ec998f453
-
SHA1
87b8918e94d44cab2ba113f5f9fba21279b4a8ef
-
SHA256
b49c2214a192f777060c812e5e9ac678d19919e8f21fe3e4ed62c85ecc9040e8
-
SHA512
8ad66283d073b9a53e4b80f0ba5795954920006e65d2774f47829620fee5f11f664c7d467b8a2f234c98a584b7d8206fee22b570dcb1610a695013d7d603bb25
-
SSDEEP
3072:4w2vENKK7DzwxJfkID9ek8c4RyJuq1DVedjqi7DKXIlu0NT8ZmDProa7W:wvzK7DaawkRyJH4djl7DKXIpKmDPkaK
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
resource yara_rule behavioral2/memory/3172-0-0x0000000000400000-0x0000000000427000-memory.dmp family_lockbit behavioral2/memory/3172-1-0x0000000000400000-0x0000000000427000-memory.dmp family_lockbit -
Program crash 1 IoCs
pid pid_target Process procid_target 2472 3172 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lockbit2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lockbit2.exe"C:\Users\Admin\AppData\Local\Temp\Lockbit2.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 2762⤵
- Program crash
PID:2472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3172 -ip 31721⤵PID:1028