2024-02-23_41297345be5edd4b0fc66e97e1083735_lockbit

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-23_41297345be5edd4b0fc66e97e1083735_lockbit
Size

54KB
MD5

41297345be5edd4b0fc66e97e1083735
SHA1

4aed3c2e1310e7c65633a16baf3c80b24289b6ba
SHA256

ad32e6604f830841e4808be8335aa7517046fb630e9e57f9e219cd6bf11a97df
SHA512

cd8c853d8ffec2cc9c42d1099cebcd41365aec3a88d21eb57528a83c84d9359c7f942755b0bf34c20a002be3e3b5145fef9ef6b365e51670a308746df64e8bad
SSDEEP

1536:ZRJ4WLgxJTR6VuwM+oh1E3ncRZYQATnAf:Z/4WLgxxR6VzM11mnEQMf

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_USNDeleteJournal

Detects executables packed with aPLib. 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_aPLib

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-23_41297345be5edd4b0fc66e97e1083735_lockbit

Files

2024-02-23_41297345be5edd4b0fc66e97e1083735_lockbit
.exe windows:6 windows x86 arch:x86

2e425f2675b17063ef08e8fa563efa65

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

StrToIntW
PathSkipRootW
PathFindFileNameW
StrCmpIW
StrStrIW

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

bcrypt

BCryptGenRandom

ntdll

LdrEnumerateLoadedModules
RtlAcquirePebLock
memcpy
_chkstk
ZwSetInformationProcess
memset
ZwQueryInformationProcess
RtlReleasePebLock

kernel32

GetWindowsDirectoryW
CreateThread
GetCommandLineW
GetTempFileNameW
FreeResource
FindResourceW
LoadResource
LoadLibraryExW
MoveFileExW
WriteFile
OpenEventW
SizeofResource
GetFileAttributesW
GetModuleFileNameW
CreateFileW
FlushFileBuffers
GetTempPathW
GetPrivateProfileIntW
MoveFileW
LockResource
lstrcmpiW
GetModuleHandleA
DeleteFileW
GetCurrentProcessId
SetFileAttributesW
ExpandEnvironmentStringsW
GetProcAddress
LoadLibraryA
GetNativeSystemInfo
GetCurrentProcess
CreateDirectoryW
CreateEventW
SetFileTime
TerminateProcess
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetFileTime
OpenProcess
GetTickCount
ExitProcess
CloseHandle
GetLastError
Sleep
WaitForSingleObject
lstrcpyW
lstrcatW
lstrlenW
GetProcessHeap
HeapFree
HeapAlloc
HeapReAlloc
GetSystemDirectoryW
GetModuleHandleW

user32

MessageBoxW
wsprintfW

advapi32

GetTokenInformation
CryptAcquireContextW
RegDeleteKeyValueW
ChangeServiceConfigW
ChangeServiceConfig2W
CreateServiceW
DuplicateTokenEx
CreateProcessWithTokenW
OpenProcessToken
EnumServicesStatusExW
RevertToSelf
QueryServiceStatusEx
RegDeleteTreeW
ImpersonateLoggedOnUser
CreateWellKnownSid
AdjustTokenPrivileges
CheckTokenMembership
OpenSCManagerW
CloseServiceHandle
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegQueryValueW
RegQueryInfoKeyW
RegSetValueW
RegSetValueExW
RegCloseKey
RegCreateKeyExW
DuplicateToken
LookupPrivilegeValueW
CryptGenRandom
StartServiceW
OpenServiceW

shell32

CommandLineToArgvW
ShellExecuteExW
SHChangeNotify

ole32

CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
IIDFromString
CoInitializeSecurity
CoUninitialize
CoCreateGuid
StringFromGUID2
CoGetObject

oleaut32

VariantClear
SysFreeString
SysAllocString

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2e425f2675b17063ef08e8fa563efa65

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

version

bcrypt

ntdll

kernel32

user32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 9KB - Virtual size: 9KB

.rdata Size: 9KB - Virtual size: 9KB

.data Size: 512B - Virtual size: 1KB

.rsrc Size: 32KB - Virtual size: 32KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 9KB - Virtual size: 9KB

.rdata
Size: 9KB - Virtual size: 9KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 32KB - Virtual size: 32KB

.reloc
Size: 1KB - Virtual size: 1KB