lockbit | 5a3cc12e20a0ecc79f526cd28344d24f48ff4f6da89235293edd264f02f69404 | Triage

Submit
Reports

Overview

overview

Static

static

lb4_svchost.exe

windows7-x64

9

lb4_svchost.exe

windows10-2004-x64

9

Sharing

General

Target

lb4_svchost.exe
Size

145KB
Sample

240703-k5hv1szdln
MD5

0e7adc219b82b823214edc523797b83e
SHA1

eb40b252523621aea48448efc0bf6b971cc906e7
SHA256

5a3cc12e20a0ecc79f526cd28344d24f48ff4f6da89235293edd264f02f69404
SHA512

44ab6ea43112e2c361c1303a4fb5e6edb9e0390c9c571ae0c8d7a87cb0a472d9fc2f034c98235db2676019bf025e09d5bfa7e783cfa4de5225be7acc9e51ba97
SSDEEP

1536:izICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD5bwnHm/1BviIdU/IqbNLu75RjJ:hqJogYkcSNm9V7D50nH2viI2xadRj1T

Score

10^/10

lockbit ransomware spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

lb4_svchost.exe

Resource

win7-20231129-en

ransomware spyware stealer

windows7-x64

13 signatures

300 seconds

Behavioral task

behavioral2

Sample

lb4_svchost.exe

Resource

win10v2004-20240611-en

ransomware spyware stealer

windows10-2004-x64

15 signatures

300 seconds

Malware Config

Targets

- Target
  
  lb4_svchost.exe
- Size
  
  145KB
- MD5
  
  0e7adc219b82b823214edc523797b83e
- SHA1
  
  eb40b252523621aea48448efc0bf6b971cc906e7
- SHA256
  
  5a3cc12e20a0ecc79f526cd28344d24f48ff4f6da89235293edd264f02f69404
- SHA512
  
  44ab6ea43112e2c361c1303a4fb5e6edb9e0390c9c571ae0c8d7a87cb0a472d9fc2f034c98235db2676019bf025e09d5bfa7e783cfa4de5225be7acc9e51ba97
- SSDEEP
  
  1536:izICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD5bwnHm/1BviIdU/IqbNLu75RjJ:hqJogYkcSNm9V7D50nH2viI2xadRj1T
Score

9^/10

ransomware spyware stealer
- Renames multiple (8243) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ransomwarespywarestealer

behavioral2

ransomwarespywarestealer

© 2018-2024

Terms | Privacy