2024-02-03_12d44f348079d0908ad7ab81d18f3d88_lockbit

Sharing

Copy URL

Twitter E-mail

General

Target

2024-02-03_12d44f348079d0908ad7ab81d18f3d88_lockbit
Size

357KB
MD5

12d44f348079d0908ad7ab81d18f3d88
SHA1

55f110f524a4550442847dfb79aaa593236c061e
SHA256

06cd0b8dbfe90f15b5e2910576d98d970836c90b7d5acde23a82ebdbd10067f8
SHA512

7a040e095ef24c90016bdce49435f3f81576842bf890b4ec910f6e7568b1a1a92819c531c7412f65851c26be80633125c3ae2aeea540148887675319a9cf2fc8
SSDEEP

6144:MGpV1z8QUrkR10efU/TGpGGpV1z8Qcy1PSbOqslVC7nJUkhIeMIcC16V:hpVaxQztf9pPpVaxy0bOM7np+e31

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_MPress

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_USNDeleteJournal

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-03_12d44f348079d0908ad7ab81d18f3d88_lockbit

Files

2024-02-03_12d44f348079d0908ad7ab81d18f3d88_lockbit
.exe windows:5 windows x86 arch:x86

f5e4c8acb92fb1c8223cff431020dba0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

htons
getsockname
shutdown
setsockopt
WSAConnect
closesocket
send
WSASocketW
WSAStartup
freeaddrinfo
getaddrinfo
WSAGetLastError
select
getpeername
recv

shlwapi

PathCombineW
wvnsprintfW
wvnsprintfA
PathFindFileNameW
PathRemoveFileSpecA
PathRemoveBackslashA
PathAddBackslashA
PathSkipRootW
PathMatchSpecW
PathUnquoteSpacesW
StrCmpNIW
StrStrIW

crypt32

CryptMsgGetParam
CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringW
CryptQueryObject

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

msvcrt

tolower
strncmp
sprintf
strtod
memcpy
_except_handler3
memset

psapi

GetProcessImageFileNameW

kernel32

UpdateResourceW
LockResource
BeginUpdateResourceW
SizeofResource
GetComputerNameW
GetNativeSystemInfo
CreateDirectoryW
GetModuleHandleW
GetCurrentThread
GetCommandLineA
GetComputerNameExW
lstrlenA
HeapReAlloc
HeapAlloc
HeapFree
HeapCreate
HeapValidate
GetProcessHeaps
HeapSetInformation
GetCurrentProcessId
LoadLibraryExW
GetProcAddress
lstrlenW
WideCharToMultiByte
FreeLibrary
LoadLibraryW
lstrcpynW
lstrcatW
FindResourceW
LoadResource
ExitProcess
GetVolumeNameForVolumeMountPointA
GetTempFileNameW
CreateProcessW
MoveFileExW
WaitForSingleObject
GetTickCount
WriteFile
TerminateProcess
GetModuleFileNameW
CreateFileW
OpenMutexW
CreateEventW
CloseHandle
DeleteFileW
SetFileAttributesW
FindFirstFileW
GetSystemDirectoryW
Sleep
CopyFileW
GetFileAttributesW
FindClose
GetModuleHandleA
lstrcpyW
GetFullPathNameW
GetCommandLineW
GetFileSize
CreateMutexW
SetFilePointerEx
GetUserDefaultLCID
SetEvent
EndUpdateResourceW
ReadFile
GetLastError
SetCurrentDirectoryW
lstrcmpiW
OpenEventW
OutputDebugStringA
LocalFree
CreateThread
FindNextFileW
MapViewOfFile
UnmapViewOfFile
SetFileTime
OpenProcess
Process32FirstW
CreateFileMappingW
Process32NextW
CreateToolhelp32Snapshot
GetFileTime
GetCurrentProcess
GetWindowsDirectoryW
SearchPathW
GetTempPathW
EnumResourceNamesW
FreeResource
SetThreadPriority

user32

wvsprintfA
wvsprintfW
wsprintfW
wsprintfA

advapi32

RegDeleteValueW
CryptGenRandom
RegCreateKeyExW
CreateWellKnownSid
CheckTokenMembership
LookupAccountSidW
DuplicateToken
GetTokenInformation
IsWellKnownSid
OpenProcessToken
EnumServicesStatusExW
QueryServiceConfigW
SetServiceStatus
QueryServiceStatus
StartServiceW
ChangeServiceConfig2W
RegSetValueW
RegisterServiceCtrlHandlerExW
OpenServiceW
OpenSCManagerW
DeleteService
CloseServiceHandle
CreateServiceW
RegEnumValueW
CryptAcquireContextW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
CryptHashData
CryptDestroyHash
CryptCreateHash
CryptReleaseContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegSetValueExW
CryptGetHashParam

shell32

SHChangeNotify
ShellExecuteExW
SHGetFolderPathA
SHGetFolderPathW
SHGetSpecialFolderPathW
CommandLineToArgvW

ole32

CoUninitialize
CoGetObject
IIDFromString
CoInitialize
CoInitializeEx
CoInitializeSecurity
CoCreateInstance

ntdll

ZwQueryInformationProcess
ZwSetInformationProcess
RtlDosPathNameToNtPathName_U
ZwDeleteFile
RtlAcquirePebLock
RtlReleasePebLock
LdrEnumerateLoadedModules
RtlFreeUnicodeString

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 84KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

DGNXMahl
Size: 512B - Virtual size: 148B

hBHaBPjL
Size: 13KB - Virtual size: 12KB

sbbZHmcO
Size: 31KB - Virtual size: 30KB

XdJPNSTC
Size: 512B - Virtual size: 486B

VqYQVZZY
Size: 2KB - Virtual size: 1KB

sIPMaxGa
Size: 512B - Virtual size: 395B

SjOTruvh
Size: 54KB - Virtual size: 54KB

WMfKmGzd
Size: 1KB - Virtual size: 1KB

OASdgAse
Size: 127KB - Virtual size: 127KB

ugpeaWvU
Size: 6KB - Virtual size: 5KB

Sharing

General

Malware Config

Signatures

Files

f5e4c8acb92fb1c8223cff431020dba0

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

shlwapi

crypt32

version

msvcrt

psapi

kernel32

user32

advapi32

shell32

ole32

ntdll

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 1024B - Virtual size: 196KB

.rsrc Size: 84KB - Virtual size: 83KB

DGNXMahl Size: 512B - Virtual size: 148B

hBHaBPjL Size: 13KB - Virtual size: 12KB

sbbZHmcO Size: 31KB - Virtual size: 30KB

XdJPNSTC Size: 512B - Virtual size: 486B

VqYQVZZY Size: 2KB - Virtual size: 1KB

sIPMaxGa Size: 512B - Virtual size: 395B

SjOTruvh Size: 54KB - Virtual size: 54KB

WMfKmGzd Size: 1KB - Virtual size: 1KB

OASdgAse Size: 127KB - Virtual size: 127KB

ugpeaWvU Size: 6KB - Virtual size: 5KB

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 1024B - Virtual size: 196KB

.rsrc
Size: 84KB - Virtual size: 83KB

DGNXMahl
Size: 512B - Virtual size: 148B

hBHaBPjL
Size: 13KB - Virtual size: 12KB

sbbZHmcO
Size: 31KB - Virtual size: 30KB

XdJPNSTC
Size: 512B - Virtual size: 486B

VqYQVZZY
Size: 2KB - Virtual size: 1KB

sIPMaxGa
Size: 512B - Virtual size: 395B

SjOTruvh
Size: 54KB - Virtual size: 54KB

WMfKmGzd
Size: 1KB - Virtual size: 1KB

OASdgAse
Size: 127KB - Virtual size: 127KB

ugpeaWvU
Size: 6KB - Virtual size: 5KB