2024-02-18_c5f435722d811de6b07af18b80ce5cdd_lockbit

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-18_c5f435722d811de6b07af18b80ce5cdd_lockbit
Size

156KB
MD5

c5f435722d811de6b07af18b80ce5cdd
SHA1

2bf6d982d07349a83c57d7cb50bc1191d378d052
SHA256

36b7f88706d05d68ee90f7c9fc1ae3d658e271b86c8dd8c7175c22be35d4961a
SHA512

b3333e7a1f399c831d13e0fadde40248bcd7f21d811146cf24830eb6ed33b001a5d1dc4ab818709e952925d452af41943dcd1f769bb4582c0a670dfcfd4c8ef4
SSDEEP

3072:O8xXgCGyTq/jYGImyBwE5qRdMeYcRERk8rqCH8dqxnxZ:niF/jWGpkk8rqCcdqxnxZ

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-18_c5f435722d811de6b07af18b80ce5cdd_lockbit

Files

2024-02-18_c5f435722d811de6b07af18b80ce5cdd_lockbit
.exe windows:6 windows x86 arch:x86

c7976f8d03fc9b3c6b48b495bf3176ad

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FreeLibrary
GetStartupInfoW
WaitForDebugEvent
InitializeProcThreadAttributeList
ContinueDebugEvent
UpdateProcThreadAttribute
SetEvent
DeleteProcThreadAttributeList
CreateProcessW
TerminateThread
GetCurrentProcess
GetCurrentThreadId
LoadLibraryExW
MultiByteToWideChar
GetStringTypeW
GetModuleHandleExW
GetCPInfo
GetOEMCP
GetACP
CopyFileW
LCMapStringW
OutputDebugStringW
CreateFileW
LoadLibraryW
GetFileAttributesW
TerminateProcess
CreateDirectoryW
GetModuleHandleW
GetProcAddress
HeapDestroy
HeapAlloc
HeapCreate
FileTimeToDosDateTime
GetTempFileNameA
WideCharToMultiByte
FileTimeToLocalFileTime
DeleteFileA
CreateFileA
GetTempPathA
GetFileInformationByHandle
SetFilePointer
WriteFile
ReadFile
Sleep
GetCommandLineW
TlsSetValue
TlsGetValue
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
HeapFree
VirtualFree
ResumeThread
DeleteFileW
CreateThread
LocalFree
CloseHandle
GetLastError
CreateEventW
LocalAlloc
WaitForSingleObject
SetLastError
ExitProcess
GetModuleFileNameW
IsValidCodePage
VirtualAlloc
VirtualQuery

user32

GetDesktopWindow
wsprintfW
GetUserObjectInformationW
GetThreadDesktop
MessageBoxW
LoadImageW
PostQuitMessage
TranslateMessage
DispatchMessageW
RegisterClassExW
UnregisterClassW
SendMessageW
CreateWindowExW
GetDC
GetProcessWindowStation
GetMessageW
DefWindowProcW

gdi32

ChoosePixelFormat
SwapBuffers
SetPixelFormat

advapi32

RegSetValueExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryValueExW
RegDeleteValueW
RegOpenKeyExW
RegFlushKey
RegEnumValueW
RegEnumKeyExW
RegOpenKeyW
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryInfoKeyW
CreateWellKnownSid
RegCopyTreeW
RegCreateKeyW

shell32

SHCreateItemFromParsingName
ShellExecuteExW
SHGetKnownFolderPath

ole32

CoCreateGuid
CoUninitialize
StringFromCLSID
CoTaskMemFree
CoGetObject
StringFromGUID2
CoCreateInstance
CoInitializeEx

oleaut32

SafeArrayDestroy
SysFreeString
SysAllocString
SafeArrayUnaccessData
SafeArrayCreateVector
SafeArrayAccessData

ntdll

NtCreateKey
LdrFindEntryForAddress
RtlNtStatusToDosError
NtUnmapViewOfSection
RtlAddSIDToBoundaryDescriptor
NtMapViewOfSection
RtlReleasePebLock
RtlExpandEnvironmentStrings_U
NtQueryValueKey
LdrAccessResource
RtlUnwind
NtDeleteValueKey
LdrEnumerateLoadedModules
RtlPushFrame
RtlQueryElevationFlags
RtlPopFrame
RtlGetFrame
RtlFreeHeap
RtlPrefixUnicodeString
LdrGetDllHandleEx
LdrLoadDll
RtlInitUnicodeString
LdrUnloadDll
RtlSubAuthorityCountSid
NtReadFile
RtlCreateHeap
RtlDeleteBoundaryDescriptor
NtQueryInformationProcess
LdrGetDllHandle
RtlCreateBoundaryDescriptor
RtlRandomEx
RtlAppendUnicodeToString
RtlSubAuthoritySid
NtEnumerateValueKey
NtQuerySystemInformation
RtlEqualUnicodeString
NtCreateSection
RtlAppendUnicodeStringToString
RtlDestroyHeap
RtlInitializeSid
NtFreeVirtualMemory
NtDeleteKey
DbgUiSetThreadDebugObject
NtFilterToken
RtlFreeSid
NtDuplicateObject
RtlAllocateHeap
RtlImageDirectoryEntryToData
RtlLengthSid
NtQueryInformationToken
RtlAllocateAndInitializeSid
NtSetInformationThread
NtOpenProcess
RtlSetHeapInformation
RtlRaiseStatus
NtQueryInformationFile
NtDeletePrivateNamespace
NtCreatePrivateNamespace
RtlGetCurrentPeb
RtlFormatCurrentUserKeyPath
NtFsControlFile
RtlGetVersion
RtlAcquirePebLock
LdrFindResource_U
NtSetInformationToken
NtRemoveProcessDebug
NtDuplicateToken
NtOpenProcessToken
NtSetValueKey
NtSuspendProcess
NtTerminateProcess
NtWriteVirtualMemory
RtlCreateUserThread
RtlWow64EnableFsRedirectionEx
NtAllocateVirtualMemory
NtResumeProcess
NtOpenKey
NtNotifyChangeDirectoryFile
NtWaitForSingleObject
RtlLengthRequiredSid
NtCreateFile
NtSetEvent
NtCreateEvent
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtClose
RtlComputeCrc32
NtDeleteFile
RtlImageNtHeader

apphelp

SdbStartIndexing
SdbEndWriteListTag
SdbWriteStringTag
SdbCommitIndexes
SdbStopIndexing
SdbBeginWriteListTag
SdbDeclareIndex
SdbCloseDatabaseWrite
SdbWriteBinaryTag
SdbWriteDWORDTag
SdbCreateDatabase

rpcrt4

RpcBindingFree
RpcRaiseException
RpcBindingSetAuthInfoExW
RpcAsyncCompleteCall
RpcStringBindingComposeW
RpcStringFreeW
NdrAsyncClientCall
RpcBindingFromStringBindingW
RpcAsyncInitializeHandle

opengl32

glVertex2i
glLoadIdentity
glBegin
wglMakeCurrent
glDrawBuffer
glReadPixels
glDrawPixels
glMatrixMode
glEnd
glClear
glColor4i
wglCreateContext

comctl32

ord17

cabinet

ord10
ord14
ord11
ord13

msdelta

DeltaFree
ApplyDeltaB

bcrypt

BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptDecrypt
BCryptGetProperty
BCryptDestroyKey
BCryptGenerateSymmetricKey

Sections

.text
Size: 65KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c7976f8d03fc9b3c6b48b495bf3176ad

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

ntdll

apphelp

rpcrt4

opengl32

comctl32

cabinet

msdelta

bcrypt

Sections

.text Size: 65KB - Virtual size: 64KB

.rdata Size: 34KB - Virtual size: 33KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 46KB - Virtual size: 45KB

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: 65KB - Virtual size: 64KB

.rdata
Size: 34KB - Virtual size: 33KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 46KB - Virtual size: 45KB

.reloc
Size: 6KB - Virtual size: 5KB