lockbit | 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

Analysis

max time kernel
599s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
Size

162KB
MD5

38745539b71cf201bb502437f891d799
SHA1

f2a72bee623659d3ba16b365024020868246d901
SHA256

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce
SHA512

772e76757069c3375cf1ffd659ff03f47f2d4becae61a852adbc27ae467551210d8832994f944c05fccc8486a8a88322021c94217a8bd962c2459af41067132b
SSDEEP

3072:MC/pu0EzJTnvxkIKztqGJ0OtiZ4/7I5jfa2F63Jvb3iN0RD3xpjb68Tzd4Tpx8W7:MC/pu1iIKztqGuU/7Ity2F65vb3FRlpW

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

resource	yara_rule
behavioral1/memory/1600-0-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/memory/1600-1-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2404	1600	WerFault.exe	29
936	1328	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
2616	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1172	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2652	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2132	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1224	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1568	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1916	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2412	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1332	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	taskmgr.exe
Token: 33	1908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1908	AUDIODG.EXE
Token: 33	1908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1908	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	30
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	30
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	30
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	30
PID 2784 wrote to memory of 2616	2784	cmd.exe	36
PID 2784 wrote to memory of 2616	2784	cmd.exe	36
PID 2784 wrote to memory of 2616	2784	cmd.exe	36
PID 2784 wrote to memory of 2616	2784	cmd.exe	36
PID 2784 wrote to memory of 1172	2784	cmd.exe	37
PID 2784 wrote to memory of 1172	2784	cmd.exe	37
PID 2784 wrote to memory of 1172	2784	cmd.exe	37
PID 2784 wrote to memory of 1172	2784	cmd.exe	37
PID 2784 wrote to memory of 2652	2784	cmd.exe	39
PID 2784 wrote to memory of 2652	2784	cmd.exe	39
PID 2784 wrote to memory of 2652	2784	cmd.exe	39
PID 2784 wrote to memory of 2652	2784	cmd.exe	39
PID 2784 wrote to memory of 2132	2784	cmd.exe	40
PID 2784 wrote to memory of 2132	2784	cmd.exe	40
PID 2784 wrote to memory of 2132	2784	cmd.exe	40
PID 2784 wrote to memory of 2132	2784	cmd.exe	40
PID 2784 wrote to memory of 1224	2784	cmd.exe	41
PID 2784 wrote to memory of 1224	2784	cmd.exe	41
PID 2784 wrote to memory of 1224	2784	cmd.exe	41
PID 2784 wrote to memory of 1224	2784	cmd.exe	41
PID 2784 wrote to memory of 1568	2784	cmd.exe	42
PID 2784 wrote to memory of 1568	2784	cmd.exe	42
PID 2784 wrote to memory of 1568	2784	cmd.exe	42
PID 2784 wrote to memory of 1568	2784	cmd.exe	42
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	47
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	47
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	47
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	47
PID 1652 wrote to memory of 1916	1652	cmd.exe	51
PID 1652 wrote to memory of 1916	1652	cmd.exe	51
PID 1652 wrote to memory of 1916	1652	cmd.exe	51
PID 1652 wrote to memory of 1916	1652	cmd.exe	51
PID 1652 wrote to memory of 2328	1652	cmd.exe	52
PID 1652 wrote to memory of 2328	1652	cmd.exe	52
PID 1652 wrote to memory of 2328	1652	cmd.exe	52
PID 1652 wrote to memory of 2328	1652	cmd.exe	52
PID 1652 wrote to memory of 2412	1652	cmd.exe	53
PID 1652 wrote to memory of 2412	1652	cmd.exe	53
PID 1652 wrote to memory of 2412	1652	cmd.exe	53
PID 1652 wrote to memory of 2412	1652	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
"C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 88
  2⤵
  - Program crash
  PID:2404

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
"C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 88
  2⤵
  - Program crash
  PID:936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\Downloads\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1916
- C:\Users\Admin\Downloads\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2328
- C:\Users\Admin\Downloads\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-2-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1332-3-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1332-4-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1600-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1600-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download