2024-02-03_445e8ccfc4137296695096c92bb09eaf_lockbit

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-03_445e8ccfc4137296695096c92bb09eaf_lockbit
Size

274KB
MD5

445e8ccfc4137296695096c92bb09eaf
SHA1

c652d0942c9f5688e2e5fe6a096b7f8ded2a02cc
SHA256

02eaa4dd28cd2ca7ca60112b9e8876980edc7b6dae396569684448c91bcb2157
SHA512

635d7bc0f4dd25519b0e5bd015ce7ba5b8abb99da82e9c6a0b3309386fef85f2708d9ad0f33f48bbad81d0d60b42479a395e2b172558d0c9006deffdbbe2eb66
SSDEEP

6144:fGpV1z8QOGpGGpV1z8Qcy1PSbOqslVC7nJUkhIeMIcC16V:+pVaWpPpVaxy0bOM7np+e31

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_MPress

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_USNDeleteJournal

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-03_445e8ccfc4137296695096c92bb09eaf_lockbit

Files

2024-02-03_445e8ccfc4137296695096c92bb09eaf_lockbit
.exe windows:5 windows x86 arch:x86

f5e4c8acb92fb1c8223cff431020dba0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

htons
getsockname
shutdown
setsockopt
WSAConnect
closesocket
send
WSASocketW
WSAStartup
freeaddrinfo
getaddrinfo
WSAGetLastError
select
getpeername
recv

shlwapi

PathCombineW
wvnsprintfW
wvnsprintfA
PathFindFileNameW
PathRemoveFileSpecA
PathRemoveBackslashA
PathAddBackslashA
PathSkipRootW
PathMatchSpecW
PathUnquoteSpacesW
StrCmpNIW
StrStrIW

crypt32

CryptMsgGetParam
CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringW
CryptQueryObject

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

msvcrt

tolower
strncmp
sprintf
strtod
memcpy
_except_handler3
memset

psapi

GetProcessImageFileNameW

kernel32

UpdateResourceW
LockResource
BeginUpdateResourceW
SizeofResource
GetComputerNameW
GetNativeSystemInfo
CreateDirectoryW
GetModuleHandleW
GetCurrentThread
GetCommandLineA
GetComputerNameExW
lstrlenA
HeapReAlloc
HeapAlloc
HeapFree
HeapCreate
HeapValidate
GetProcessHeaps
HeapSetInformation
GetCurrentProcessId
LoadLibraryExW
GetProcAddress
lstrlenW
WideCharToMultiByte
FreeLibrary
LoadLibraryW
lstrcpynW
lstrcatW
FindResourceW
LoadResource
ExitProcess
GetVolumeNameForVolumeMountPointA
GetTempFileNameW
CreateProcessW
MoveFileExW
WaitForSingleObject
GetTickCount
WriteFile
TerminateProcess
GetModuleFileNameW
CreateFileW
OpenMutexW
CreateEventW
CloseHandle
DeleteFileW
SetFileAttributesW
FindFirstFileW
GetSystemDirectoryW
Sleep
CopyFileW
GetFileAttributesW
FindClose
GetModuleHandleA
lstrcpyW
GetFullPathNameW
GetCommandLineW
GetFileSize
CreateMutexW
SetFilePointerEx
GetUserDefaultLCID
SetEvent
EndUpdateResourceW
ReadFile
GetLastError
SetCurrentDirectoryW
lstrcmpiW
OpenEventW
OutputDebugStringA
LocalFree
CreateThread
FindNextFileW
MapViewOfFile
UnmapViewOfFile
SetFileTime
OpenProcess
Process32FirstW
CreateFileMappingW
Process32NextW
CreateToolhelp32Snapshot
GetFileTime
GetCurrentProcess
GetWindowsDirectoryW
SearchPathW
GetTempPathW
EnumResourceNamesW
FreeResource
SetThreadPriority

user32

wvsprintfA
wvsprintfW
wsprintfW
wsprintfA

advapi32

RegDeleteValueW
CryptGenRandom
RegCreateKeyExW
CreateWellKnownSid
CheckTokenMembership
LookupAccountSidW
DuplicateToken
GetTokenInformation
IsWellKnownSid
OpenProcessToken
EnumServicesStatusExW
QueryServiceConfigW
SetServiceStatus
QueryServiceStatus
StartServiceW
ChangeServiceConfig2W
RegSetValueW
RegisterServiceCtrlHandlerExW
OpenServiceW
OpenSCManagerW
DeleteService
CloseServiceHandle
CreateServiceW
RegEnumValueW
CryptAcquireContextW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
CryptHashData
CryptDestroyHash
CryptCreateHash
CryptReleaseContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegSetValueExW
CryptGetHashParam

shell32

SHChangeNotify
ShellExecuteExW
SHGetFolderPathA
SHGetFolderPathW
SHGetSpecialFolderPathW
CommandLineToArgvW

ole32

CoUninitialize
CoGetObject
IIDFromString
CoInitialize
CoInitializeEx
CoInitializeSecurity
CoCreateInstance

ntdll

ZwQueryInformationProcess
ZwSetInformationProcess
RtlDosPathNameToNtPathName_U
ZwDeleteFile
RtlAcquirePebLock
RtlReleasePebLock
LdrEnumerateLoadedModules
RtlFreeUnicodeString

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 996B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

DGNXMahl
Size: 512B - Virtual size: 148B

hBHaBPjL
Size: 13KB - Virtual size: 12KB

sbbZHmcO
Size: 31KB - Virtual size: 30KB

XdJPNSTC
Size: 512B - Virtual size: 486B

VqYQVZZY
Size: 2KB - Virtual size: 1KB

sIPMaxGa
Size: 512B - Virtual size: 395B

SjOTruvh
Size: 54KB - Virtual size: 54KB

WMfKmGzd
Size: 1KB - Virtual size: 1KB

OASdgAse
Size: 127KB - Virtual size: 127KB

ugpeaWvU
Size: 6KB - Virtual size: 5KB

Sharing

General

Malware Config

Signatures

Files

f5e4c8acb92fb1c8223cff431020dba0

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

shlwapi

crypt32

version

msvcrt

psapi

kernel32

user32

advapi32

shell32

ole32

ntdll

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 1024B - Virtual size: 196KB

.rsrc Size: 1024B - Virtual size: 996B

DGNXMahl Size: 512B - Virtual size: 148B

hBHaBPjL Size: 13KB - Virtual size: 12KB

sbbZHmcO Size: 31KB - Virtual size: 30KB

XdJPNSTC Size: 512B - Virtual size: 486B

VqYQVZZY Size: 2KB - Virtual size: 1KB

sIPMaxGa Size: 512B - Virtual size: 395B

SjOTruvh Size: 54KB - Virtual size: 54KB

WMfKmGzd Size: 1KB - Virtual size: 1KB

OASdgAse Size: 127KB - Virtual size: 127KB

ugpeaWvU Size: 6KB - Virtual size: 5KB

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 1024B - Virtual size: 196KB

.rsrc
Size: 1024B - Virtual size: 996B

DGNXMahl
Size: 512B - Virtual size: 148B

hBHaBPjL
Size: 13KB - Virtual size: 12KB

sbbZHmcO
Size: 31KB - Virtual size: 30KB

XdJPNSTC
Size: 512B - Virtual size: 486B

VqYQVZZY
Size: 2KB - Virtual size: 1KB

sIPMaxGa
Size: 512B - Virtual size: 395B

SjOTruvh
Size: 54KB - Virtual size: 54KB

WMfKmGzd
Size: 1KB - Virtual size: 1KB

OASdgAse
Size: 127KB - Virtual size: 127KB

ugpeaWvU
Size: 6KB - Virtual size: 5KB