2024-04-27_e8f7fbff0edd80cff24b7da687cf97b3_lockbit

Sharing

Copy URL

Twitter E-mail

General

Target

2024-04-27_e8f7fbff0edd80cff24b7da687cf97b3_lockbit
Size

113KB
MD5

e8f7fbff0edd80cff24b7da687cf97b3
SHA1

172be6f5d683b6ae5325dbddaf633aaee7307c04
SHA256

dbfce4f7c7591599ce81d6d605441acdebf96d9507dc93633231a0b0edbe5359
SHA512

4c3cb1df6fdfa59a4d290ae61d0bba5c41bc1522ed6d8ad5ca5284b780564d053324d7fd41e700555cf4937f5fd5dd64d416ec3f0540868c205a6b83cd0ebf1d
SSDEEP

3072:+iaoa4/CskOum0Kj5fX5BzMSmcRERk8rqCBq:VYKR5BTkk8rqCBq

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-27_e8f7fbff0edd80cff24b7da687cf97b3_lockbit

Files

2024-04-27_e8f7fbff0edd80cff24b7da687cf97b3_lockbit
.exe windows:6 windows x86 arch:x86

734835505c900ef87e71c4b1200d08dd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetStartupInfoW
TerminateThread
GetCurrentProcess
CreateThread
GetCurrentThreadId
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
FreeLibrary
IsProcessorFeaturePresent
UnhandledExceptionFilter
LoadLibraryW
OutputDebugStringW
CreateFileW
VirtualFree
WaitForSingleObject
CopyFileW
GetFileAttributesW
Sleep
TerminateProcess
CreateDirectoryW
GetProcAddress
HeapDestroy
SetUnhandledExceptionFilter
DeleteFileW
HeapAlloc
SetLastError
HeapCreate
FileTimeToDosDateTime
GetTempFileNameA
WideCharToMultiByte
FileTimeToLocalFileTime
CloseHandle
DeleteFileA
CreateFileA
GetLastError
GetTempPathA
GetFileInformationByHandle
SetFilePointer
WriteFile
ReadFile
GetCommandLineW
LoadLibraryExW
GetModuleHandleW
ExitProcess
GetModuleFileNameW
InitializeProcThreadAttributeList
VirtualAlloc
VirtualQuery

user32

CreateWindowExW
GetMessageW
SendMessageW
UnregisterClassW
RegisterClassExW
DispatchMessageW
PostQuitMessage
GetProcessWindowStation
GetDesktopWindow
GetUserObjectInformationW
GetThreadDesktop
MessageBoxW
LoadImageW
TranslateMessage
GetDC
DefWindowProcW

gdi32

SwapBuffers
ChoosePixelFormat
SetPixelFormat

advapi32

RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyW
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryInfoKeyW
RegCopyTreeW
RegSetValueExW
RegCreateKeyW
RegEnumValueW
RegFlushKey
RegDeleteValueW
RegQueryValueExW
RegCloseKey

shell32

SHGetKnownFolderPath
SHCreateItemFromParsingName
ShellExecuteExW

ole32

CoUninitialize
CoGetObject
CoTaskMemFree
StringFromCLSID
StringFromGUID2
CoCreateGuid
CoCreateInstance
CoInitializeEx

oleaut32

SafeArrayDestroy
SysFreeString
SafeArrayUnaccessData
SafeArrayCreateVector
SafeArrayAccessData
SysAllocString

ntdll

NtOpenProcess
NtSetInformationThread
RtlAllocateAndInitializeSid
NtQueryInformationToken
RtlLengthSid
RtlFreeSid
NtFilterToken
NtDeleteKey
NtFreeVirtualMemory
RtlInitializeSid
RtlDestroyHeap
RtlAppendUnicodeStringToString
NtCreateSection
RtlEqualUnicodeString
NtQuerySystemInformation
NtEnumerateValueKey
RtlSubAuthoritySid
NtSetInformationToken
RtlRandomEx
RtlCreateBoundaryDescriptor
LdrGetDllHandle
NtQueryInformationProcess
LdrFindResource_U
NtReadFile
RtlSubAuthorityCountSid
LdrEnumerateLoadedModules
NtDeleteValueKey
RtlLengthRequiredSid
RtlAcquirePebLock
RtlGetVersion
NtFsControlFile
RtlFormatCurrentUserKeyPath
RtlGetCurrentPeb
NtCreatePrivateNamespace
NtQueryInformationFile
NtDeletePrivateNamespace
RtlRaiseStatus
RtlSetHeapInformation
RtlCreateHeap
NtCreateKey
LdrFindEntryForAddress
RtlNtStatusToDosError
NtUnmapViewOfSection
RtlAddSIDToBoundaryDescriptor
NtMapViewOfSection
RtlReleasePebLock
RtlExpandEnvironmentStrings_U
NtQueryValueKey
LdrAccessResource
RtlUnwind
NtDuplicateToken
NtOpenProcessToken
NtSetValueKey
NtSuspendProcess
NtTerminateProcess
NtWriteVirtualMemory
RtlCreateUserThread
NtAllocateVirtualMemory
NtResumeProcess
NtOpenKey
NtNotifyChangeDirectoryFile
NtWaitForSingleObject
NtCreateFile
NtSetEvent
NtCreateEvent
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtClose
NtDeleteFile
RtlWow64EnableFsRedirectionEx
RtlComputeCrc32
RtlPushFrame
RtlQueryElevationFlags
RtlPopFrame
RtlGetFrame
RtlImageNtHeader
RtlFreeHeap
RtlPrefixUnicodeString
LdrGetDllHandleEx
LdrLoadDll
RtlInitUnicodeString
LdrUnloadDll
RtlAllocateHeap
RtlImageDirectoryEntryToData
RtlAppendUnicodeToString
RtlDeleteBoundaryDescriptor

apphelp

SdbWriteDWORDTag
SdbWriteBinaryTag
SdbCloseDatabaseWrite
SdbDeclareIndex
SdbBeginWriteListTag
SdbStopIndexing
SdbCommitIndexes
SdbWriteStringTag
SdbEndWriteListTag
SdbStartIndexing
SdbCreateDatabase

opengl32

glDrawPixels
glMatrixMode
glEnd
glColor4i
glDrawBuffer
glClear
wglCreateContext
glReadPixels
wglMakeCurrent
glVertex2i
glLoadIdentity
glBegin

comctl32

ord17

cabinet

ord14
ord10
ord13
ord11

msdelta

DeltaFree
ApplyDeltaB

bcrypt

BCryptDecrypt
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptGetProperty
BCryptDestroyKey

Sections

.text
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

734835505c900ef87e71c4b1200d08dd

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

ntdll

apphelp

opengl32

comctl32

cabinet

msdelta

bcrypt

Sections

.text Size: 49KB - Virtual size: 49KB

.rdata Size: 18KB - Virtual size: 18KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 38KB - Virtual size: 37KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 49KB - Virtual size: 49KB

.rdata
Size: 18KB - Virtual size: 18KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 38KB - Virtual size: 37KB

.reloc
Size: 3KB - Virtual size: 3KB