lockbit | 3d8bf0d63c4eb8043065c0b450d076ef6676ef34bcc7055ec32b7c912af431a8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3_pass.exe
Size

149KB
MD5

52f6f4598df3a891f064daf72f430869
SHA1

c3a6344c2a4286c5bb982184b793780ea7d55e14
SHA256

3d8bf0d63c4eb8043065c0b450d076ef6676ef34bcc7055ec32b7c912af431a8
SHA512

122236624fed68f4fdb63cd7177ba2116b51a6a1a15e6544a159a85c41b4c4f2a3453fdce000dc1e6851e4c6fe90d9bea973dcfebd6a5c6544d780739900b190
SSDEEP

3072:0IJ+q4TViuRUYwuRbl8A9Vse/QdYGwOsK+8:NsZRU21CS5Q0zK+8

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/memory/1700-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2388 1700 WerFault.exe LB3_pass.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

LB3_pass.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3_pass.exe

pid	pid_target	process	target process
2388	1700	WerFault.exe	LB3_pass.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3_pass.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

LB3_pass.exe

description	pid	process	target process
PID 1700 wrote to memory of 2388	1700	LB3_pass.exe	WerFault.exe
PID 1700 wrote to memory of 2388	1700	LB3_pass.exe	WerFault.exe
PID 1700 wrote to memory of 2388	1700	LB3_pass.exe	WerFault.exe
PID 1700 wrote to memory of 2388	1700	LB3_pass.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\LB3_pass.exe
"C:\Users\Admin\AppData\Local\Temp\LB3_pass.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 88
  2⤵
  - Program crash
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1700-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download