Overview

overview

10

Static

static

10

ransom/Build.bat

windows7-x64

3

ransom/Build.bat

windows10-2004-x64

3

ransom/Build/LB3.exe

windows7-x64

9

ransom/Build/LB3.exe

windows10-2004-x64

9

ransom/Bui...or.exe

windows7-x64

7

ransom/Bui...or.exe

windows10-2004-x64

7

ransom/Bui...in.dll

windows7-x64

9

ransom/Bui...in.dll

windows10-2004-x64

7

ransom/Bui...32.dll

windows7-x64

3

ransom/Bui...32.dll

windows10-2004-x64

3

ransom/Bui...ss.dll

windows7-x64

10

ransom/Bui...ss.dll

windows10-2004-x64

10

ransom/Bui...ss.exe

windows7-x64

10

ransom/Bui...ss.exe

windows10-2004-x64

10

ransom/builder.exe

windows7-x64

1

ransom/builder.exe

windows10-2004-x64

3

ransom/keygen.exe

windows7-x64

1

ransom/keygen.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransom/Build/LB3_pass.exe

  • Size

    141KB

  • MD5

    85fbdd693c11767ae0f2ae519b4df7a2

  • SHA1

    1598ea54fec9894888262976f2fdd71420eb3130

  • SHA256

    173f5533ad95e05c7a89a842f7923b23cc1b41c48221ff3262e82c847db1d409

  • SHA512

    a3ad65b7bc2d2850906d02c0c9ea18580e21d5e0c8c0868b5865ce73acfd2c550dbc3c4d79fa63ede0d4607bbcb9380841ac0f893aeddf09c1a9ed75ff8b98f5

  • SSDEEP

    3072:ifGQiJ+A2qUO9XFyKoP7C1aGTnKsXGQe7bHw7/d4f4fb3Du8vVmB4xPMG+4wHTZi:I/iQA2qUO9VZKCQUnKKGLbHt4Du8tH+s

Score
10/10
lockbitdiscoveryransomware

Malware Config

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe
    "C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 88
      2⤵
      • Program crash
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2180-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download