2024-01-18_3265a2a9fa9355441a761180bff005d9_lockbit

Sharing

Copy URL

Twitter E-mail

General

Target

2024-01-18_3265a2a9fa9355441a761180bff005d9_lockbit
Size

448KB
MD5

3265a2a9fa9355441a761180bff005d9
SHA1

d401fb50dec42d8e9cb42cc22209435c2984833e
SHA256

08170423a982ac5aebe61f8c7a75eb3f5d53a5676cd6abbb2bc622137722f1a0
SHA512

b4332abd34eed8233daa8ad96f00e87e373e946f6de51a51bd30d3c7c47fd7dc765701a2e8400df483e9d1645e298a943e902a07c3d399052c2a2dc972a7e50b
SSDEEP

6144:CK9J/ARcTdGbBp88b1cMXHIoYkjDtqzMnanonsRbzbHIVivElmLP3G8N:zV5+p882MXH6kjUgnayMv+ivSm7ZN

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-01-18_3265a2a9fa9355441a761180bff005d9_lockbit

Files

2024-01-18_3265a2a9fa9355441a761180bff005d9_lockbit
.exe windows:6 windows x86 arch:x86

29c2072d3ddfed26771eccaedfd53246

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ReleaseMutex
SetProcessWorkingSetSize
MultiByteToWideChar
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
CreateFileW
GetFileSize
ReadFile
InitializeCriticalSection
GetFileAttributesW
GetLocalTime
GetModuleHandleW
GetProcAddress
LoadLibraryW
SetFileAttributesW
OutputDebugStringW
lstrlenW
GetTickCount
SetFilePointer
SystemTimeToFileTime
GetCurrentDirectoryW
LocalFileTimeToFileTime
CreateDirectoryW
WriteFile
SetFileTime
HeapDestroy
UnmapViewOfFile
CreateMutexW
GetCurrentProcess
LocalFree
IsDebuggerPresent
ExitProcess
GetStartupInfoW
SetLastError
TerminateProcess
GetCurrentThreadId
HeapCreate
GetProcessHeap
HeapSize
GetModuleFileNameW
CloseHandle
Sleep
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
FindResourceExW
FindResourceW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
HeapReAlloc
HeapFree
HeapAlloc
SizeofResource
LockResource
LoadResource
DeleteCriticalSection
InitializeCriticalSectionEx
GetLastError
RaiseException

user32

PostQuitMessage
KillTimer
SetTimer
DefWindowProcW
ShowWindow
CreateWindowExW
RegisterClassExW
LoadCursorW
LoadIconW
TranslateMessage
UnregisterClassW
MessageBoxW
GetThreadDesktop
GetUserObjectInformationW
wsprintfW
GetProcessWindowStation
SendMessageW
LoadImageW
ReleaseDC
GetSystemMetrics
UpdateWindow
GetDC
GetDesktopWindow
GetMessageW
DispatchMessageW

gdi32

BitBlt
SetPixelFormat
SwapBuffers
ChoosePixelFormat

advapi32

GetTokenInformation
OpenProcessToken

shell32

SHGetKnownFolderPath
ord165

ole32

CoSetProxyBlanket
CoTaskMemFree
CoGetObject
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoCreateInstance

oleaut32

VariantClear
SysAllocString
SysFreeString
VarUdateFromDate
VariantTimeToSystemTime
SystemTimeToVariantTime
VariantInit

msvcp140

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?uncaught_exception@std@@YA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?always_noconv@codecvt_base@std@@QBE_NXZ
??Bid@locale@std@@QAEIXZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@H@Z
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Xbad_alloc@std@@YAXXZ
?_BADOFF@std@@3_JB

shlwapi

PathAppendW
PathFindFileNameW
PathRenameExtensionW
PathRemoveFileSpecW
PathFileExistsW

wininet

InternetOpenW
InternetConnectW
InternetCloseHandle
InternetAttemptConnect
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestExW
InternetWriteFile
HttpEndRequestW
HttpQueryInfoW
InternetReadFile

gdiplus

GdipGetDC
GdiplusStartup
GdipGetImageGraphicsContext
GdipDisposeImage
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipCreateBitmapFromScan0
GdipSaveImageToFile
GdipCloneImage
GdipDeleteGraphics
GdipReleaseDC
GdipAlloc
GdipFree
GdiplusShutdown

ntdll

RtlAcquirePebLock
RtlImageNtHeader
RtlGetVersion
RtlLengthRequiredSid
NtCreatePrivateNamespace
NtCreateEvent
RtlComputeCrc32
NtDeletePrivateNamespace
RtlPrefixUnicodeString
LdrLoadDll
LdrUnloadDll
LdrAccessResource
NtQueryValueKey
RtlExpandEnvironmentStrings_U
RtlRandomEx
RtlCreateBoundaryDescriptor
RtlReleasePebLock
NtMapViewOfSection
NtOpenKey
RtlSubAuthoritySid
NtEnumerateValueKey
RtlEqualUnicodeString
NtCreateSection
RtlAllocateHeap
RtlDestroyHeap
RtlInitializeSid
NtFreeVirtualMemory
NtOpenProcessToken
RtlImageDirectoryEntryToData
RtlPushFrame
RtlQueryElevationFlags
RtlPopFrame
RtlGetFrame
LdrEnumerateLoadedModules
NtAllocateVirtualMemory
NtQueryInformationToken
LdrFindResource_U
RtlFreeHeap
RtlInitUnicodeString
RtlDeleteBoundaryDescriptor
NtQueryInformationProcess
LdrGetDllHandleEx
RtlAddSIDToBoundaryDescriptor
NtUnmapViewOfSection
RtlNtStatusToDosError
RtlCreateHeap
RtlSetHeapInformation
RtlRaiseStatus
NtWaitForSingleObject
NtClose

opengl32

glEnd
glDrawPixels
glReadPixels
wglCreateContext
glLoadIdentity
glColor4i
glClear
glBegin
glVertex2i
wglMakeCurrent
glDrawBuffer
glMatrixMode

comctl32

ord17

msdelta

ApplyDeltaB
DeltaFree

bcrypt

BCryptDestroyKey
BCryptDecrypt
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptGetProperty

vcruntime140

__std_terminate
memmove
wcschr
wcsrchr
__std_exception_destroy
memcpy
wcsstr
__CxxFrameHandler3
_CxxThrowException
memset
__vcrt_InitializeCriticalSectionEx
_except_handler4_common
__std_exception_copy

api-ms-win-crt-string-l1-1-0

_wcsicmp
wcscpy_s
isalpha
wmemcpy_s
_stricmp
strcpy_s
strnlen
wcsnlen
wcsncpy

api-ms-win-crt-runtime-l1-1-0

_seh_filter_exe
terminate
_cexit
_get_wide_winmain_command_line
_set_app_type
_initialize_onexit_table
_initterm
_configure_wide_argv
_initterm_e
exit
_exit
_register_thread_local_exe_atexit_callback
_initialize_wide_environment
_register_onexit_function
_crt_atexit
_invalid_parameter_noinfo_noreturn
_errno
_controlfp_s
_invalid_parameter_noinfo
_c_exit

api-ms-win-crt-heap-l1-1-0

calloc
_set_new_mode
_recalloc
malloc
_callnewh
free

api-ms-win-crt-stdio-l1-1-0

ungetc
_wfopen_s
fflush
setvbuf
__stdio_common_vswprintf_s
fgetc
fputc
__stdio_common_vswprintf
fgetpos
ftell
__p__commode
__stdio_common_vsprintf
_wfopen
fclose
fread
_get_stream_buffer_pointers
fwrite
_set_fmode
_fseeki64
fseek
fsetpos

api-ms-win-crt-convert-l1-1-0

wcstombs_s
_wtoi
atoi
mbstowcs_s
_itoa_s
_wtoi64

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file
_wremove
_wrename

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-time-l1-1-0

_time64
wcsftime
_localtime64_s

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 110KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 116B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 286KB - Virtual size: 285KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

29c2072d3ddfed26771eccaedfd53246

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

msvcp140

shlwapi

wininet

gdiplus

ntdll

opengl32

comctl32

msdelta

bcrypt

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 110KB - Virtual size: 109KB

.rdata Size: 31KB - Virtual size: 31KB

.data Size: 13KB - Virtual size: 16KB

.gfids Size: 512B - Virtual size: 116B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 286KB - Virtual size: 285KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 110KB - Virtual size: 109KB

.rdata
Size: 31KB - Virtual size: 31KB

.data
Size: 13KB - Virtual size: 16KB

.gfids
Size: 512B - Virtual size: 116B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 286KB - Virtual size: 285KB

.reloc
Size: 5KB - Virtual size: 5KB