Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 07:59
Behavioral task
behavioral1
Sample
8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll
Resource
win10v2004-20241007-en
General
-
Target
8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll
-
Size
140KB
-
MD5
0935ea62f9193d457b4e1956670ec088
-
SHA1
8452b0a85e0822cd71de7a5705d7fe65ed541b91
-
SHA256
5506e7c24bfce20c4def5769d38b6089853d6bab3d4186bbe07a4e9572511023
-
SHA512
92d8960e3223952aaac1c4ea0755d26339d4d114ed6c848137642d1db159b72d82069f369c83dff97e87b552dce4e53137b1d508a1a534c1ce6eacfb54897468
-
SSDEEP
3072:ZeDMfTwrNnlo2Og7UPXBJCg0cUZrnkBDV8hY5ZNgyrIBW:CMf8r/d7UvvCDvFkBDV82eII0
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3208-0-0x0000000010000000-0x0000000010027000-memory.dmp family_lockbit -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2524 wrote to memory of 3208 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 3208 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 3208 2524 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8452b0a85e0822cd71de7a5705d7fe65ed541b91.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3208
-