LockBit2[.]0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

LockBit2.0
Size

101KB
MD5

889328e2cf5f5d74531b9b0a25c1871c
SHA1

d14a6e699a1f0805bd1248c80c2dc9dfccf0f403
SHA256

0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f
SHA512

f14ed75d97d2cd7e351f3cf75f9f374c2e9e388a1f5855a478d50b098b1250a67e375bdbd193b24d00bc052e0b3f8018cb3e74760be8c40b860be9f3d0ba2493
SSDEEP

3072:AmD1tmtnnhf1j6VTAjIF66yRru77xHLbMqqD/txX6T:AyHWnn7WTWIF66yY8qqD/txqT

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
LockBit2.0

Files

LockBit2.0
.exe windows:5 windows x86 arch:x86

2430c4d884e6b7c075f835fdb6a6475c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

netapi32

NetShareEnum
NetApiBufferFree

iphlpapi

GetAdaptersInfo

ws2_32

htons
ioctlsocket
WSAGetLastError
connect
inet_addr
__WSAFDIsSet
closesocket
select
WSACleanup
WSAStartup
socket

crypt32

CryptBinaryToStringA

gdiplus

GdipDrawString
GdipCreateStringFormat
GdipDeleteFontFamily
GdipGetImageEncoders
GdipCreateFontFamilyFromName
GdipDeleteBrush
GdipDisposeImage
GdipCreateFont
GdipCreateSolidFill
GdipFillRectangle
GdipGetGenericFontFamilySansSerif
GdiplusStartup
GdipGetImageGraphicsContext
GdipGetImageEncodersSize
GdipDeleteGraphics
GdipDeleteStringFormat
GdipDeleteFont
GdipCreateBitmapFromScan0
GdipSaveImageToFile

shlwapi

PathRemoveExtensionA
PathRemoveBackslashW
PathAddBackslashW
StrFormatByteSize64A
PathRemoveFileSpecW
PathFindExtensionW

mpr

WNetAddConnection2W
WNetOpenEnumW
WNetEnumResourceW
WNetGetConnectionW
WNetCloseEnum

ntdll

RtlAdjustPrivilege
RtlInitUnicodeString
NtAllocateVirtualMemory
LdrEnumerateLoadedModules
RtlAcquirePebLock
RtlReleasePebLock
memcpy
memset

msvcrt

malloc
calloc
free

kernel32

QueryDosDeviceW
FindFirstVolumeW
GetModuleFileNameW
lstrcpyW
GetWindowsDirectoryW
lstrcatW
InterlockedPopEntrySList
AllocConsole
GetCurrentProcessId
InitializeSListHead
InterlockedPushEntrySList
lstrcpyA
InterlockedFlushSList
MoveFileW
CreateIoCompletionPort
SystemTimeToFileTime
GetQueuedCompletionStatus
SetFileTime
WriteFile
GetFileSizeEx
ReadFile
SetThreadAffinityMask
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
SetVolumeMountPointW
GetLogicalDrives
FindFirstFileExW
EnterCriticalSection
GetCommandLineW
FindNextFileW
lstrlenW
WaitForMultipleObjects
LeaveCriticalSection
InitializeCriticalSection
FindClose
GetFileAttributesW
ExitThread
OpenProcess
SetFileAttributesW
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
GetDiskFreeSpaceExW
GlobalAlloc
Process32FirstW
GlobalFree
CloseHandle
CreateThread
DeleteCriticalSection
ExitProcess
GetConsoleWindow
lstrcmpiW
GetDriveTypeW
GetTempPathW
MultiByteToWideChar
GetTempFileNameW
CreateMutexA
OpenMutexA
LoadLibraryA
GetProcAddress
GetTickCount
GetSystemInfo
GetLocalTime
Process32First
TerminateProcess
GetUserDefaultLangID
GetConsoleMode
WaitForSingleObject
GetModuleHandleA
Process32Next
lstrcmpiA
CreateProcessA
lstrcmpW
SetConsoleCtrlHandler
SetConsoleTextAttribute
SetConsoleTitleA
GetStdHandle
WriteConsoleA
SetConsoleMode
SetProcessShutdownParameters
SetErrorMode
CreateFileW

user32

PeekMessageW
GetWindowLongA
wvsprintfA
SetWindowLongA
ShowWindow
GetMessageW
CharLowerBuffW
CharUpperA
DeleteMenu
wsprintfW
FlashWindow
wsprintfA
IsWindowVisible
SystemParametersInfoW
GetSystemMetrics
EnableMenuItem
SetLayeredWindowAttributes
RegisterHotKey
ShutdownBlockReasonCreate
GetSystemMenu

advapi32

RegCreateKeyExA
DuplicateToken
SetThreadToken
OpenProcessToken
RegSetValueExA
RegOpenKeyA
RegCloseKey
RegQueryValueExA
GetAclInformation
GetAce
AllocateAndInitializeSid
AddAce
AddAccessDeniedAce
FreeSid
InitializeAcl
SetSecurityInfo
GetLengthSid
GetSecurityInfo
EnumDependentServicesA
CryptReleaseContext
InitializeSecurityDescriptor
CloseServiceHandle
OpenSCManagerA
GetTokenInformation
ControlService
RegSetValueExW
RegDeleteValueW
QueryServiceStatusEx
RegQueryValueExW
OpenServiceA
AdjustTokenPrivileges
SetFileSecurityW
CryptAcquireContextW
SetSecurityDescriptorOwner
CryptGenRandom
LookupPrivilegeValueA
CreateWellKnownSid
CheckTokenMembership

shell32

SHEmptyRecycleBinW
ShellExecuteExA
ShellExecuteExW
CommandLineToArgvW

ole32

CoGetObject
CoUninitialize
CoInitializeEx

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

2430c4d884e6b7c075f835fdb6a6475c

Headers

DLL Characteristics

File Characteristics

Imports

netapi32

iphlpapi

ws2_32

crypt32

gdiplus

shlwapi

mpr

ntdll

msvcrt

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 76KB - Virtual size: 76KB

.rdata Size: 23KB - Virtual size: 23KB

.data Size: 512B - Virtual size: 8KB

.text
Size: 76KB - Virtual size: 76KB

.rdata
Size: 23KB - Virtual size: 23KB

.data
Size: 512B - Virtual size: 8KB