Overview
overview
10Static
static
10ransom/Build.bat
windows7-x64
3ransom/Build.bat
windows10-2004-x64
3ransom/Build/LB3.exe
windows7-x64
9ransom/Build/LB3.exe
windows10-2004-x64
9ransom/Bui...or.exe
windows7-x64
7ransom/Bui...or.exe
windows10-2004-x64
7ransom/Bui...in.dll
windows7-x64
9ransom/Bui...in.dll
windows10-2004-x64
7ransom/Bui...32.dll
windows7-x64
3ransom/Bui...32.dll
windows10-2004-x64
3ransom/Bui...ss.dll
windows7-x64
10ransom/Bui...ss.dll
windows10-2004-x64
10ransom/Bui...ss.exe
windows7-x64
10ransom/Bui...ss.exe
windows10-2004-x64
10ransom/builder.exe
windows7-x64
1ransom/builder.exe
windows10-2004-x64
3ransom/keygen.exe
windows7-x64
1ransom/keygen.exe
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 01:10
Behavioral task
behavioral1
Sample
ransom/Build.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ransom/Build.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ransom/Build/LB3.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
ransom/Build/LB3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ransom/Build/LB3Decryptor.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ransom/Build/LB3Decryptor.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
ransom/Build/LB3_ReflectiveDll_DllMain.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
ransom/Build/LB3_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ransom/Build/LB3_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
ransom/Build/LB3_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ransom/Build/LB3_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
ransom/Build/LB3_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ransom/Build/LB3_pass.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
ransom/Build/LB3_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
ransom/builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ransom/builder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
ransom/keygen.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
ransom/keygen.exe
Resource
win10v2004-20241007-en
General
-
Target
ransom/Build/LB3_Rundll32_pass.dll
-
Size
140KB
-
MD5
3c0c5293d4910194216662891d526e5a
-
SHA1
0eecd385148a15bd26b4310f6e033f2210e36366
-
SHA256
4c88ab29cac1be9a88d6c06f9544eed817685784e2c3fd46b4192cdc4d4e2834
-
SHA512
56c6cfbf22b21de3f06b0a9ed4197d6ff4e62c701b14c27aa5b4d91fabb1c97b63f8e4384efebea26d5ba0d9d9d1cdd8d1f4ae16137ead4c9398f0ceecc2978a
-
SSDEEP
3072:IyOP+K2O8hstIRx8iaXnnf70ZS1cMSNUNPtMNmG+kXYX:IyOzP4f8ia3wZacMSMPtMu
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
Processes:
resource yara_rule behavioral11/memory/2076-0-0x0000000010000000-0x0000000010027000-memory.dmp family_lockbit -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 2380 wrote to memory of 2076 2380 rundll32.exe 30 PID 2380 wrote to memory of 2076 2380 rundll32.exe 30 PID 2380 wrote to memory of 2076 2380 rundll32.exe 30 PID 2380 wrote to memory of 2076 2380 rundll32.exe 30 PID 2380 wrote to memory of 2076 2380 rundll32.exe 30 PID 2380 wrote to memory of 2076 2380 rundll32.exe 30 PID 2380 wrote to memory of 2076 2380 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2076
-