https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt Archived: 2026-04-05 18:25:44 UTC Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.LockBit Vulnerability: DLL Hijacking Description: LockBit ransomware looks for and executes DLLs in its current directory. This can potentially all Family: LockBit Type: PE32 MD5: 96de05212b30ec85d4cf03386c1b84af Vuln ID: MVID-2022-0572 Disclosure: 05/02/2022 Video PoC URL: https://www.youtube.com/watch?v=3i6tv4cpfSc Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 2) Place the DLL in same directory as Lockbit ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run Lockbit PE file #include "windows.h" #include "stdio.h" //By malvuln - 5/1/2022 //Vuln: DLL Hijacking //Target: Lockbit Ransomware //MD5: 96de05212b30ec85d4cf03386c1b84af /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); //printf("Current directory: %s\n", buf); //check the path, netapi32.dll is sideloaded by lockbit https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt Page 1 of 2 int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantee Source: https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt Page 2 of 2