Analysis Overview
SHA256
bb176c4f2cbbe4f80f3efcde3121d0ec79a2c05f9825f20445cd0b34aa05e483
Threat Level: Known bad
The file 311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.zip was found to be: Known bad.
Malicious Activity Summary
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
Renames multiple (538) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 06:26
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 06:26
Reported
2024-11-06 06:29
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Renames multiple (538) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-641261377-2215826147-608237349-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-641261377-2215826147-608237349-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe
"C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.11.108.188:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1736-0-0x0000000000A50000-0x0000000000A60000-memory.dmp
memory/1736-2-0x0000000000A50000-0x0000000000A60000-memory.dmp
memory/1736-1-0x0000000000A50000-0x0000000000A60000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-641261377-2215826147-608237349-1000\desktop.ini
| MD5 | 6f86430fd71536b6939002c86bc50307 |
| SHA1 | 786b5b401211dc438808eba1e256b6050529245d |
| SHA256 | 00119260976026bfb0b4984f511438cb77c1f7bc07bd7b8ec9cab21cba335f7d |
| SHA512 | ff2b50af1be96328c80583e6e99173814adbf41de6f26420783718e14cedc1a13baa4bb558656002142ad81c2deb08bbfa52e91833ca9cd330bb78ca74874889 |
F:\$RECYCLE.BIN\S-1-5-21-641261377-2215826147-608237349-1000\DDDDDDDDDDD
| MD5 | 65c44be3ea6375e559bebb50880faf9c |
| SHA1 | bbde47cc38c6affc7d97d535617f1c842ccaedf2 |
| SHA256 | a13ef47e13e77719c7bb10fe883abb9b5141be49bf0c5226dcbb966276304b82 |
| SHA512 | ab391cffc5a00cfc6d88710b06957eac74c480f514de96d754aef6404c477f2a8333fc750a66e30eb2de930b40a9c1352074696d7c3051d546d0b69b742f0dc4 |
memory/4592-626-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-625-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-624-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-636-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-635-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-634-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-633-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-632-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-631-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp
memory/4592-630-0x000001BE30FF0000-0x000001BE30FF1000-memory.dmp