Analysis
-
max time kernel
134s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 08:25
Behavioral task
behavioral1
Sample
test3.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
test3.zip
Resource
win10v2004-20240802-en
General
-
Target
test3.zip
-
Size
102KB
-
MD5
0e325d00fd30af4577f7a1df57a67b3f
-
SHA1
a3f86e3a702dba6582b967217e411af3b662d771
-
SHA256
28664daf83a19ae6efd7caf9433600981fbb7c95025f473dc4e6099b603512a0
-
SHA512
5802d619ffb5bba93183d2d1ccb25c516e13e6ed801b37737a8aafeeb3577c8a12bf36308eb57f6621e69e2589b82f1fd7d4c4b4b669c3df4622acae22faa1c7
-
SSDEEP
3072:Wwa7KxzWhIKXRzJUGdje+7Yenbw85eNwnaYeW02aa:Wwa7NhIKYG0+EeHeSa912aa
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000016da7-5.dat family_lockbit behavioral1/memory/2620-7-0x0000000000400000-0x000000000042C000-memory.dmp family_lockbit behavioral1/memory/2620-12-0x0000000000400000-0x000000000042C000-memory.dmp family_lockbit -
Executes dropped EXE 6 IoCs
pid Process 2620 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 2204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 1648 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 1864 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 2024 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 1204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe -
Loads dropped DLL 15 IoCs
pid Process 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2404 WerFault.exe 2404 WerFault.exe 2404 WerFault.exe 2404 WerFault.exe 1096 WerFault.exe 1096 WerFault.exe 1096 WerFault.exe 1096 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 2676 2620 WerFault.exe 37 2404 2204 WerFault.exe 39 1096 1648 WerFault.exe 41 2848 1864 WerFault.exe 43 1876 2024 WerFault.exe 47 1992 1204 WerFault.exe 49 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2408 NOTEPAD.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs
pid Process 2620 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 2204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 1648 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 1864 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 1204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2832 7zG.exe Token: 35 2832 7zG.exe Token: SeSecurityPrivilege 2832 7zG.exe Token: SeSecurityPrivilege 2832 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2832 7zG.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2620 1500 cmd.exe 37 PID 1500 wrote to memory of 2620 1500 cmd.exe 37 PID 1500 wrote to memory of 2620 1500 cmd.exe 37 PID 1500 wrote to memory of 2620 1500 cmd.exe 37 PID 2620 wrote to memory of 2676 2620 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 38 PID 2620 wrote to memory of 2676 2620 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 38 PID 2620 wrote to memory of 2676 2620 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 38 PID 2620 wrote to memory of 2676 2620 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 38 PID 1500 wrote to memory of 2204 1500 cmd.exe 39 PID 1500 wrote to memory of 2204 1500 cmd.exe 39 PID 1500 wrote to memory of 2204 1500 cmd.exe 39 PID 1500 wrote to memory of 2204 1500 cmd.exe 39 PID 2204 wrote to memory of 2404 2204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 40 PID 2204 wrote to memory of 2404 2204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 40 PID 2204 wrote to memory of 2404 2204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 40 PID 2204 wrote to memory of 2404 2204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 40 PID 1500 wrote to memory of 1648 1500 cmd.exe 41 PID 1500 wrote to memory of 1648 1500 cmd.exe 41 PID 1500 wrote to memory of 1648 1500 cmd.exe 41 PID 1500 wrote to memory of 1648 1500 cmd.exe 41 PID 1648 wrote to memory of 1096 1648 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 42 PID 1648 wrote to memory of 1096 1648 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 42 PID 1648 wrote to memory of 1096 1648 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 42 PID 1648 wrote to memory of 1096 1648 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 42 PID 1500 wrote to memory of 1864 1500 cmd.exe 43 PID 1500 wrote to memory of 1864 1500 cmd.exe 43 PID 1500 wrote to memory of 1864 1500 cmd.exe 43 PID 1500 wrote to memory of 1864 1500 cmd.exe 43 PID 1864 wrote to memory of 2848 1864 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 44 PID 1864 wrote to memory of 2848 1864 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 44 PID 1864 wrote to memory of 2848 1864 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 44 PID 1864 wrote to memory of 2848 1864 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin 44 PID 2024 wrote to memory of 1876 2024 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 48 PID 2024 wrote to memory of 1876 2024 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 48 PID 2024 wrote to memory of 1876 2024 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 48 PID 2024 wrote to memory of 1876 2024 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 48 PID 1500 wrote to memory of 1204 1500 cmd.exe 49 PID 1500 wrote to memory of 1204 1500 cmd.exe 49 PID 1500 wrote to memory of 1204 1500 cmd.exe 49 PID 1500 wrote to memory of 1204 1500 cmd.exe 49 PID 1204 wrote to memory of 1992 1204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 50 PID 1204 wrote to memory of 1992 1204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 50 PID 1204 wrote to memory of 1992 1204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 50 PID 1204 wrote to memory of 1992 1204 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe 50
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\test3.zip1⤵PID:2936
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\test3\" -spe -an -ai#7zMap21070:90:7zEvent39801⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2832
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test3\nothing.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2408
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a CHECK_UI_LANGUAGE_FLAG2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 883⤵
- Loads dropped DLL
- Program crash
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 883⤵
- Loads dropped DLL
- Program crash
PID:2404
-
-
-
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -pass db66023ab2abcb9957fb01ed50cdfa6a2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 883⤵
- Loads dropped DLL
- Program crash
PID:1096
-
-
-
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 883⤵
- Loads dropped DLL
- Program crash
PID:2848
-
-
-
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exea56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 883⤵
- Program crash
PID:1992
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin1⤵
- Modifies registry class
PID:2016
-
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe"C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 882⤵
- Program crash
PID:1876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
Filesize162KB
MD503b14473eef5b7e38d9a5041c1af0a76
SHA1371353e9564c58ae4722a03205ac84ab34383d8c
SHA256a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e
SHA512eb39446791d4cdbfcd13dfc3ee1902cbc80f946d177e53a2927ef1e53257113e904ae5b5711a5622769b45bfcb961cd9c33158ad9c1f5e1258ff91d8bc753615
-
Filesize
96B
MD5e3826f99bef4b2cb1e4b20f9293d782a
SHA1a05ec35fb8ba27a5b34e7b0896f26c1496b53698
SHA256980fc980881354923c7ef7c6737adf9bdf5e72d3cf8a12fa18c4d4eb38cdf7ae
SHA5125028582211b5764fa87c3a83f9daed057149fc5dd08e327a10c62fda5bb52bc3385ec3971b37d75b6a85dcd4c6c2e1873f09ce310ad21763c5fe12f4efee168a