lockbit | 5506e7c24bfce20c4def5769d38b6089853d6bab3d4186bbe07a4e9572511023

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:59

Target

8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll
Size

140KB
MD5

0935ea62f9193d457b4e1956670ec088
SHA1

8452b0a85e0822cd71de7a5705d7fe65ed541b91
SHA256

5506e7c24bfce20c4def5769d38b6089853d6bab3d4186bbe07a4e9572511023
SHA512

92d8960e3223952aaac1c4ea0755d26339d4d114ed6c848137642d1db159b72d82069f369c83dff97e87b552dce4e53137b1d508a1a534c1ce6eacfb54897468
SSDEEP

3072:ZeDMfTwrNnlo2Og7UPXBJCg0cUZrnkBDV8hY5ZNgyrIBW:CMf8r/d7UvvCDvFkBDV82eII0

Score

10^/10

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1180-0-0x0000000010000000-0x0000000010027000-memory.dmp	family_lockbit

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 1180	2956	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1180

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1180-0-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download