2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit

Resubmissions

01/03/2024, 00:38

240301-ay45kagh2w 10

28/02/2024, 17:33

240228-v5bf2shh5t 10

28/02/2024, 04:56

240228-fkpevabg37 10

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit
Size

148KB
MD5

5d066d873d1736570f2d10c182dfebd2
SHA1

0d1c278b83406c53dcc9db44630d2ef002a3b28a
SHA256

3a46534271954db3df6dcc13b13fc69c7f7cc95c0a6f59b46778299c4168c658
SHA512

cca191dd972416e52cecbf6c438533118871a3a58de1ba28a5c790207afec7e1eb9fcadc759cf0b311544803169bc63463c0a03b03dd2deb8eed06305767085d
SSDEEP

3072:ym0ROZIL87L1yoklfzGp3XjRaDyZbMqqD/A6lHlC:ypMCL8rpHjRaPqqD/RjC

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_USNDeleteJournal

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit

Files

2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit
.exe windows:5 windows x86 arch:x86

168ea5b327edf5713a2bb8e19a928d13

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

netapi32

NetShareEnum
NetApiBufferFree

iphlpapi

GetAdaptersInfo

ws2_32

ioctlsocket
htons
connect
socket
inet_addr
WSAStartup
select
closesocket
__WSAFDIsSet
WSACleanup
WSAGetLastError

crypt32

CryptBinaryToStringA

gdiplus

GdipDeleteGraphics
GdipDeleteStringFormat
GdipDeleteFont
GdipGetImageGraphicsContext
GdiplusStartup
GdipCreateStringFormat
GdipSetStringFormatAlign
GdipSaveImageToFile
GdipGetImageEncodersSize
GdipCloneBrush
GdipDrawString
GdipDeleteBrush
GdipAlloc
GdipDisposeImage
GdipCreateLineBrushFromRect
GdipSetStringFormatLineAlign
GdipCreateFont
GdipFree
GdipCreateBitmapFromScan0
GdipGetGenericFontFamilySansSerif
GdipDeleteFontFamily
GdipGetImageEncoders
GdipFillRectangle
GdipCreateFontFamilyFromName

shlwapi

PathAddBackslashW
PathFindExtensionW
PathRemoveBackslashW
PathRemoveExtensionA
PathRemoveFileSpecW
StrFormatByteSize64A

mpr

WNetCloseEnum
WNetAddConnection2W
WNetOpenEnumW
WNetGetConnectionW
WNetEnumResourceW

ntdll

RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlDeleteCriticalSection
RtlInitializeCriticalSection
NtSetInformationThread
NtAdjustPrivilegesToken
NtOpenProcessToken
NtQueryInformationToken
RtlGetAce
NtOpenProcess
RtlQueryInformationAcl
RtlAllocateAndInitializeSid
RtlAddAce
RtlLengthSid
NtClose
RtlAdjustPrivilege
RtlFreeSid
RtlAddAccessDeniedAce
NtSetInformationProcess
RtlCreateAcl
NtWaitForSingleObject
NtSetInformationFile
NtCreateIoCompletion
NtRemoveIoCompletion
NtQueryInformationFile
RtlInterlockedPushEntrySList
RtlInitializeSListHead
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlInitUnicodeString
NtAllocateVirtualMemory
LdrEnumerateLoadedModules
RtlAcquirePebLock
RtlReleasePebLock

msvcrt

malloc
calloc
free

kernel32

SetProcessShutdownParameters
FindFirstFileExW
SetConsoleMode
WriteFile
GetWindowsDirectoryW
MoveFileW
SystemTimeToFileTime
SetFileTime
ReadFile
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
SetConsoleTitleA
SetConsoleTextAttribute
GetModuleHandleA
SetConsoleCtrlHandler
GetConsoleMode
GetLocalTime
SetVolumeMountPointW
FindFirstVolumeW
QueryDosDeviceW
CreateProcessA
lstrcmpiA
GetCurrentProcessId
MoveFileExW
Process32Next
CreateToolhelp32Snapshot
OpenProcess
GetSystemDefaultLangID
TerminateProcess
Process32First
LoadLibraryA
OpenMutexA
CreateMutexA
GetTempFileNameW
GetTempPathW
GetDriveTypeW
lstrcmpiW
ExitProcess
CreateThread
CloseHandle
DeleteFileW
GetDiskFreeSpaceExW
SetFileAttributesW
ExitThread
GetFileAttributesW
CreateFileW
FindClose
SetThreadUILanguage
WaitForMultipleObjects
FindNextFileW
GetProcAddress
GetLogicalDrives
AllocConsole
GetConsoleWindow

user32

GetSystemMenu
IsWindowVisible
DeleteMenu
GetMessageW
ShowWindow
GetWindowThreadProcessId
PeekMessageW
GetWindowLongA
wvsprintfA
RegisterHotKey
FlashWindow
SetLayeredWindowAttributes
EnableMenuItem
CharLowerBuffW
CharUpperA
MessageBoxA
wsprintfW
SystemParametersInfoW
GetSystemMetrics
wsprintfA
SetWindowLongA
GetShellWindow

advapi32

CloseServiceHandle
RegSetValueExA
RegOpenKeyA
RegCloseKey
CryptReleaseContext
InitializeSecurityDescriptor
RegQueryValueExA
OpenProcessToken
DuplicateToken
OpenThreadToken
GetTokenInformation
SetSecurityInfo
GetSecurityInfo
CheckTokenMembership
CreateWellKnownSid
EnumDependentServicesA
SetThreadToken
OpenSCManagerA
RegCreateKeyExA
ControlService
RegSetValueExW
RegDeleteValueW
QueryServiceStatusEx
RegQueryValueExW
OpenServiceA
SetFileSecurityW
CryptAcquireContextW
SetSecurityDescriptorOwner
CryptGenRandom
LookupPrivilegeValueA

shell32

SHEmptyRecycleBinW
ShellExecuteExA
ShellExecuteExW
CommandLineToArgvW

ole32

CoGetObject
CoUninitialize
CoInitializeEx

Sections

.text
Size: 121KB - Virtual size: 121KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Resubmissions

Sharing

General

Malware Config

Signatures

Files

168ea5b327edf5713a2bb8e19a928d13

Headers

DLL Characteristics

File Characteristics

Imports

netapi32

iphlpapi

ws2_32

crypt32

gdiplus

shlwapi

mpr

ntdll

msvcrt

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 121KB - Virtual size: 121KB

.rdata Size: 25KB - Virtual size: 24KB

.data Size: 512B - Virtual size: 8KB

.text
Size: 121KB - Virtual size: 121KB

.rdata
Size: 25KB - Virtual size: 24KB

.data
Size: 512B - Virtual size: 8KB