lockbit | c6c070a5f254253986dcc1ad6273e0c660d4c20af9ce08c3142c77e8427c07d4

General

Target

test.zip
Size

160KB
MD5

ef564ad8c5e6335a863af37fc8856c0f
SHA1

3c914d164e6cfa2ca3ab0d7dc7d47747d2809b36
SHA256

c6c070a5f254253986dcc1ad6273e0c660d4c20af9ce08c3142c77e8427c07d4
SHA512

b1a846da8b294ec0c0ead16c1cf9591a368eec49baf0b6319f909ee61e73867c93fb3854aa32425a7e8ab0deb6a0fad5d3814adc123aa307a81e996d8e807450
SSDEEP

3072:R6nh44Nut1jfIS4GNaQdce4dVo4932f08xriir4wC7zozkUe4U:Mh4WuVXwQdcho49mDxr3MXzo4Ue4U

Score

10^/10

lockbit ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000014f3e-8.dat	family_lockbit
behavioral1/memory/1772-10-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/memory/1772-11-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit

Executes dropped EXE 4 IoCs

Processes:

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

pid	Process
1772	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1556	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
912	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1792	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1860	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

Processes:

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

pid	Process
1772	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1556	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
912	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1792	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exe7zG.exe

description	pid	Process
Token: SeRestorePrivilege	2576	7zG.exe
Token: 35	2576	7zG.exe
Token: SeSecurityPrivilege	2576	7zG.exe
Token: SeSecurityPrivilege	2576	7zG.exe
Token: SeRestorePrivilege	1408	7zG.exe
Token: 35	1408	7zG.exe
Token: SeSecurityPrivilege	1408	7zG.exe
Token: SeSecurityPrivilege	1408	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid	Process
2576	7zG.exe
1408	7zG.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2960 wrote to memory of 1772	2960	cmd.exe	39
PID 2960 wrote to memory of 1772	2960	cmd.exe	39
PID 2960 wrote to memory of 1772	2960	cmd.exe	39
PID 2960 wrote to memory of 1772	2960	cmd.exe	39
PID 2960 wrote to memory of 1556	2960	cmd.exe	40
PID 2960 wrote to memory of 1556	2960	cmd.exe	40
PID 2960 wrote to memory of 1556	2960	cmd.exe	40
PID 2960 wrote to memory of 1556	2960	cmd.exe	40
PID 2960 wrote to memory of 912	2960	cmd.exe	41
PID 2960 wrote to memory of 912	2960	cmd.exe	41
PID 2960 wrote to memory of 912	2960	cmd.exe	41
PID 2960 wrote to memory of 912	2960	cmd.exe	41
PID 2960 wrote to memory of 1792	2960	cmd.exe	42
PID 2960 wrote to memory of 1792	2960	cmd.exe	42
PID 2960 wrote to memory of 1792	2960	cmd.exe	42
PID 2960 wrote to memory of 1792	2960	cmd.exe	42

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\test.zip
1⤵
PID:2132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\test\" -spe -an -ai#7zMap8701:88:7zEvent9618
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test\nothing.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1860

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\" -spe -an -ai#7zMap21924:218:7zEvent12036
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a CHECK_UI_LANGUAGE_FLAG
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a\
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:912
- C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass db66023ab2abcb9957fb01ed50cdfa6a
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.zip

Filesize
160KB

MD5
10ce48154d7e912037e1b100519e0b64

SHA1
07651ddfdd6e9c9cf20576037f6df1d2859e0ec8

SHA256
286d395a11787e4b4106d56edcbdceaf0fc64aa5b0b341d411ee3a80221baaab

SHA512
a6b9d36fcdd17526cfc333a626258eddd2e467bf8e6f3f369ef6f02f5d75f601e13c692e922d5717c2f163c453ed40af15d0f48b7f6b22800ff48bcd6d3f8ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\test\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Filesize
162KB

MD5
38745539b71cf201bb502437f891d799

SHA1
f2a72bee623659d3ba16b365024020868246d901

SHA256
80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

SHA512
772e76757069c3375cf1ffd659ff03f47f2d4becae61a852adbc27ae467551210d8832994f944c05fccc8486a8a88322021c94217a8bd962c2459af41067132b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test\nothing.txt

Filesize
96B

MD5
e3826f99bef4b2cb1e4b20f9293d782a

SHA1
a05ec35fb8ba27a5b34e7b0896f26c1496b53698

SHA256
980fc980881354923c7ef7c6737adf9bdf5e72d3cf8a12fa18c4d4eb38cdf7ae

SHA512
5028582211b5764fa87c3a83f9daed057149fc5dd08e327a10c62fda5bb52bc3385ec3971b37d75b6a85dcd4c6c2e1873f09ce310ad21763c5fe12f4efee168a

Download Submit
memory/1772-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1772-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads