lockfile | bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce

Analysis

max time kernel
1s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e1fed4c521294c5de95bba958909c1.exe
Size

267KB
MD5

52e1fed4c521294c5de95bba958909c1
SHA1

1d01528de63c9581be0ea5ebc18dff7f6a2272d4
SHA256

bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce
SHA512

fe173025fd8e966965b2bff9389f25f215c05f54fc2283238e279ec0d14d46655c50f2cbf0d655c073de616f77151837efeffd93302230b34278a1b41f5365d6
SSDEEP

6144:NARrIk3qCl6TvSWg6ZZaYQ4dlGvgjWrgFnp3z3gj77vi7Cr:NARswU124dl3JFnp3rg3DA

Score

10^/10

lockfile ransomware

Malware Config

Signatures

Detect LockFile payload 1 IoCs

resource	yara_rule
behavioral2/memory/2012-243-0x00007FF65BD80000-0x00007FF65BE59000-memory.dmp	family_lockfile

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile

Kills process with WMI 9 IoCs

evasion

pid	Process
4684	WMIC.exe
4652	WMIC.exe
4324	WMIC.exe
3292	WMIC.exe
4392	WMIC.exe
4340	WMIC.exe
3972	WMIC.exe
4944	WMIC.exe
4376	WMIC.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3972	Process not Found
Token: SeSecurityPrivilege	3972	Process not Found
Token: SeTakeOwnershipPrivilege	3972	Process not Found
Token: SeLoadDriverPrivilege	3972	Process not Found
Token: SeSystemProfilePrivilege	3972	Process not Found
Token: SeSystemtimePrivilege	3972	Process not Found
Token: SeProfSingleProcessPrivilege	3972	Process not Found
Token: SeIncBasePriorityPrivilege	3972	Process not Found
Token: SeCreatePagefilePrivilege	3972	Process not Found
Token: SeBackupPrivilege	3972	Process not Found
Token: SeRestorePrivilege	3972	Process not Found
Token: SeShutdownPrivilege	3972	Process not Found
Token: SeDebugPrivilege	3972	Process not Found
Token: SeSystemEnvironmentPrivilege	3972	Process not Found
Token: SeRemoteShutdownPrivilege	3972	Process not Found
Token: SeUndockPrivilege	3972	Process not Found
Token: SeManageVolumePrivilege	3972	Process not Found
Token: 33	3972	Process not Found
Token: 34	3972	Process not Found
Token: 35	3972	Process not Found
Token: 36	3972	Process not Found
Token: SeIncreaseQuotaPrivilege	3972	Process not Found
Token: SeSecurityPrivilege	3972	Process not Found
Token: SeTakeOwnershipPrivilege	3972	Process not Found
Token: SeLoadDriverPrivilege	3972	Process not Found
Token: SeSystemProfilePrivilege	3972	Process not Found
Token: SeSystemtimePrivilege	3972	Process not Found
Token: SeProfSingleProcessPrivilege	3972	Process not Found
Token: SeIncBasePriorityPrivilege	3972	Process not Found
Token: SeCreatePagefilePrivilege	3972	Process not Found
Token: SeBackupPrivilege	3972	Process not Found
Token: SeRestorePrivilege	3972	Process not Found
Token: SeShutdownPrivilege	3972	Process not Found
Token: SeDebugPrivilege	3972	Process not Found
Token: SeSystemEnvironmentPrivilege	3972	Process not Found
Token: SeRemoteShutdownPrivilege	3972	Process not Found
Token: SeUndockPrivilege	3972	Process not Found
Token: SeManageVolumePrivilege	3972	Process not Found
Token: 33	3972	Process not Found
Token: 34	3972	Process not Found
Token: 35	3972	Process not Found
Token: 36	3972	Process not Found
Token: SeIncreaseQuotaPrivilege	4652	WMIC.exe
Token: SeSecurityPrivilege	4652	WMIC.exe
Token: SeTakeOwnershipPrivilege	4652	WMIC.exe
Token: SeLoadDriverPrivilege	4652	WMIC.exe
Token: SeSystemProfilePrivilege	4652	WMIC.exe
Token: SeSystemtimePrivilege	4652	WMIC.exe
Token: SeProfSingleProcessPrivilege	4652	WMIC.exe
Token: SeIncBasePriorityPrivilege	4652	WMIC.exe
Token: SeCreatePagefilePrivilege	4652	WMIC.exe
Token: SeBackupPrivilege	4652	WMIC.exe
Token: SeRestorePrivilege	4652	WMIC.exe
Token: SeShutdownPrivilege	4652	WMIC.exe
Token: SeDebugPrivilege	4652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4652	WMIC.exe
Token: SeRemoteShutdownPrivilege	4652	WMIC.exe
Token: SeUndockPrivilege	4652	WMIC.exe
Token: SeManageVolumePrivilege	4652	WMIC.exe
Token: 33	4652	WMIC.exe
Token: 34	4652	WMIC.exe
Token: 35	4652	WMIC.exe
Token: 36	4652	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4308	2012	52e1fed4c521294c5de95bba958909c1.exe	57
PID 2012 wrote to memory of 4308	2012	52e1fed4c521294c5de95bba958909c1.exe	57
PID 4308 wrote to memory of 3972	4308	cmd.exe	37
PID 4308 wrote to memory of 3972	4308	cmd.exe	37
PID 2012 wrote to memory of 4272	2012	52e1fed4c521294c5de95bba958909c1.exe	41
PID 2012 wrote to memory of 4272	2012	52e1fed4c521294c5de95bba958909c1.exe	41
PID 4272 wrote to memory of 4652	4272	cmd.exe	40
PID 4272 wrote to memory of 4652	4272	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\52e1fed4c521294c5de95bba958909c1.exe
"C:\Users\Admin\AppData\Local\Temp\52e1fed4c521294c5de95bba958909c1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  PID:3576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmware%'" call terminate
    3⤵
    - Kills process with WMI
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4308

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%vmwp%'" call terminate
1⤵
- Kills process with WMI
PID:3972

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%virtualbox%'" call terminate
1⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%vbox%'" call terminate
1⤵
- Kills process with WMI
PID:4324

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%sqlservr%'" call terminate
1⤵
- Kills process with WMI
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%mysqld%'" call terminate
1⤵
- Kills process with WMI
PID:3292

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%omtsreco%'" call terminate
1⤵
- Kills process with WMI
PID:4392

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%oracle%'" call terminate
1⤵
- Kills process with WMI
PID:4376

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%tnslsnr%'" call terminate
1⤵
- Kills process with WMI
PID:4340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-0-0x00007FF65BD80000-0x00007FF65BE59000-memory.dmp

Filesize
868KB

Download
memory/2012-243-0x00007FF65BD80000-0x00007FF65BE59000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads