Overview

overview

10

Static

static

10

LockBit-main.zip

windows7-x64

1

LockBit-main.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LockBit-main.zip

  • Size

    3.4MB

  • MD5

    48c928de6458fac060c281e3febc1a15

  • SHA1

    e6ed8102960a159063edd62695926d16be32ce60

  • SHA256

    ff652f97ac93507e30fca7446d266d82e5ad1ca4066b1e5dc81b5e3256e393b4

  • SHA512

    01abc3d99d8ecb19991a0a70c5e10fb4b86b70edcf1492d9827edd72e70fb1c2596ab6e49261bc31965fb68be8749fb622bf3050458eb44aec9230f567228daf

  • SSDEEP

    98304:1TKYu1ibTKwig1isTKQTK3D1i5I39BPiv12FpQiwilbl4:1OYu1sOng1tOQO3D1CI3Tg1epQiwsba

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 9 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Executes dropped EXE 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-main.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\7zO0550E597\builder.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0550E597\builder.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112
    • C:\Users\Admin\AppData\Local\Temp\7zO0552ECE7\builder.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0552ECE7\builder.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\7zO05517738\decryptor.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO05517738\decryptor.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:668
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1204
    • C:\Users\Admin\Desktop\LockBit-main\builder.exe
      "C:\Users\Admin\Desktop\LockBit-main\builder.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3260
    • C:\Users\Admin\Desktop\LockBit-main\builder.exe
      "C:\Users\Admin\Desktop\LockBit-main\builder.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zE0557F418\LockBit-main\Debug\decryptor.ilk
      Filesize

      850KB

      MD5

      672c4ca028c069edff75ec66f64764fc

      SHA1

      00143dc3610f7f4ef5cfa93cf2027cd988c1ebca

      SHA256

      e8b076719f648bad33c02557adb1825a0bfda497a817b17a5fb3c699559b2577

      SHA512

      1f83317253a2b9a54c48f114cd4b1de825b07b2fe0482d57105a3840e9ff7e563f817a37c10d3a07d2e7f868f99973a6aa2c7c00d36506b3c88c078a82998a97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zE0557F418\LockBit-main\builder\builder.vcxproj.user
      Filesize

      165B

      MD5

      b97115c31582bcb2b6ab5f6f834db248

      SHA1

      f75316dc9ee719d300a59bcb8a0f92b26c66b6ba

      SHA256

      c65b2b1a71dcd26333d8dc209ffeb90a906ddd8bbab6d45dada8e3bc84c30226

      SHA512

      d585275eb78134367cec02a2104256966c7505e0c5c622ddcc188503191cf4ce5d61ed34fff889063fbc4b4860214008557082fe559ffe9cc4d147e2717c0c22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
      Filesize

      456KB

      MD5

      515a0c8be21a5ba836e5687fc2d73333

      SHA1

      c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

      SHA256

      9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

      SHA512

      4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\LockBit-main\decryptor\decryptor.pdb
      Filesize

      1.1MB

      MD5

      d28f6d860cc7415c725caaca414a6a32

      SHA1

      3823cf5c63b6d1ba15a3ca2581e83d830e63074b

      SHA256

      6b8ef6acb7d99764102dd29c2fc5d6305d2b0106a1247020fe5178985a5499f9

      SHA512

      2a29d46bfcc52681527fb2833866db04e0ee48c7bd058ca948dfa202a821ffcc544ceab286a2fdb0132c01fadb79990a88d759a1ba04cbbfa6ac4b6d3c1445d6

      Download Submit

    • memory/668-140-0x0000000002340000-0x0000000002740000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1688-251-0x0000000002210000-0x0000000002610000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2112-112-0x0000000002420000-0x0000000002820000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2112-115-0x0000000002420000-0x0000000002820000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2112-114-0x0000000002420000-0x0000000002820000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2112-113-0x0000000002420000-0x0000000002820000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2112-111-0x00000000021E0000-0x00000000021E7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2912-128-0x0000000002100000-0x0000000002500000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2912-127-0x0000000002100000-0x0000000002500000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3260-247-0x00000000022A0000-0x00000000026A0000-memory.dmp

      Filesize

      4.0MB

      Download