lockbit | 4d9349b5fa20bbd711b665f8a97ede9224f0d34265d5811a2877093fbaff7221

Resubmissions

01/04/2025, 08:53

250401-ktap9sypz6 10

01/04/2025, 08:10

250401-j2selswwgw 10

Analysis

max time kernel
119s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
Size

162KB
MD5

1abcf3a673e796a32a23798d9bfd4aa5
SHA1

7c51aadc181fd73dc9a89211c22f28e4068f7b00
SHA256

016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d
SHA512

092bb8a7e8997f718becb836202c73ea080206333eda2e9199872ee8be066df97e563a79b1fe2b35a54db7dbbe1ea5dee3fbf59719f1e5d48df6a50794527904
SSDEEP

3072:o5uyulsHwnV1gFnTwn7zwJGJv3t5kCI5Gzei3N2VzRmK:o5uZ1nPgFnk7EJwJI5gDN2VVm

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

resource	yara_rule
behavioral1/memory/5080-0-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/memory/5080-1-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit

Program crash 13 IoCs

pid	pid_target	Process	procid_target
3916	5080	WerFault.exe	87
5848	5824	WerFault.exe	118
4100	4112	WerFault.exe	120
2612	2220	WerFault.exe	125
5740	1692	WerFault.exe	126
812	4744	WerFault.exe	131
2880	4632	WerFault.exe	134
2460	2244	WerFault.exe	137
3636	1620	WerFault.exe	138
5232	2060	WerFault.exe	144
640	2340	WerFault.exe	143
784	3652	WerFault.exe	149
2472	2788	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 5824	1680	cmd.exe	118
PID 1680 wrote to memory of 5824	1680	cmd.exe	118
PID 1680 wrote to memory of 5824	1680	cmd.exe	118
PID 1680 wrote to memory of 4112	1680	cmd.exe	120
PID 1680 wrote to memory of 4112	1680	cmd.exe	120
PID 1680 wrote to memory of 4112	1680	cmd.exe	120
PID 1680 wrote to memory of 2220	1680	cmd.exe	125
PID 1680 wrote to memory of 2220	1680	cmd.exe	125
PID 1680 wrote to memory of 2220	1680	cmd.exe	125
PID 1680 wrote to memory of 1692	1680	cmd.exe	126
PID 1680 wrote to memory of 1692	1680	cmd.exe	126
PID 1680 wrote to memory of 1692	1680	cmd.exe	126
PID 1680 wrote to memory of 4744	1680	cmd.exe	131
PID 1680 wrote to memory of 4744	1680	cmd.exe	131
PID 1680 wrote to memory of 4744	1680	cmd.exe	131
PID 1680 wrote to memory of 4632	1680	cmd.exe	134
PID 1680 wrote to memory of 4632	1680	cmd.exe	134
PID 1680 wrote to memory of 4632	1680	cmd.exe	134
PID 1680 wrote to memory of 2244	1680	cmd.exe	137
PID 1680 wrote to memory of 2244	1680	cmd.exe	137
PID 1680 wrote to memory of 2244	1680	cmd.exe	137
PID 1680 wrote to memory of 1620	1680	cmd.exe	138
PID 1680 wrote to memory of 1620	1680	cmd.exe	138
PID 1680 wrote to memory of 1620	1680	cmd.exe	138
PID 1680 wrote to memory of 2340	1680	cmd.exe	143
PID 1680 wrote to memory of 2340	1680	cmd.exe	143
PID 1680 wrote to memory of 2340	1680	cmd.exe	143
PID 1680 wrote to memory of 2060	1680	cmd.exe	144
PID 1680 wrote to memory of 2060	1680	cmd.exe	144
PID 1680 wrote to memory of 2060	1680	cmd.exe	144
PID 1680 wrote to memory of 3652	1680	cmd.exe	149
PID 1680 wrote to memory of 3652	1680	cmd.exe	149
PID 1680 wrote to memory of 3652	1680	cmd.exe	149
PID 1680 wrote to memory of 2788	1680	cmd.exe	150
PID 1680 wrote to memory of 2788	1680	cmd.exe	150
PID 1680 wrote to memory of 2788	1680	cmd.exe	150

C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
"C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 268
  2⤵
  - Program crash
  PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5080 -ip 5080
1⤵
PID:2036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe --help
  2⤵
  PID:5824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 228
    3⤵
    - Program crash
    PID:5848
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe -h
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 228
    3⤵
    - Program crash
    PID:4100
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 232
    3⤵
    - Program crash
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe -dir
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 228
    3⤵
    - Program crash
    PID:5740
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe --dir
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 232
    3⤵
    - Program crash
    PID:812
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 184
    3⤵
    - Program crash
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 184
    3⤵
    - Program crash
    PID:2460
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 232
    3⤵
    - Program crash
    PID:3636
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 228
    3⤵
    - Program crash
    PID:640
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 228
    3⤵
    - Program crash
    PID:5232
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 228
    3⤵
    - Program crash
    PID:784
- C:\Users\Admin\AppData\Local\Temp\016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  016cf44b5637f2c71383de4549b9eff72e74382e30add1d14c3944daed9e2e5d.exe
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 232
    3⤵
    - Program crash
    PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5824 -ip 5824
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4112 -ip 4112
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2220 -ip 2220
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4744 -ip 4744
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4632 -ip 4632
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2244 -ip 2244
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1620 -ip 1620
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2340 -ip 2340
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2060 -ip 2060
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3652 -ip 3652
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2788 -ip 2788
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5080-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5080-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download