lockbit | 1e86c9b1a92c3624e69ecaabb8abf495475f07a60e9a5449053270cfd2a78b51

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe
Size

57KB
MD5

a1784aa6993af25cb55a36154a954649
SHA1

d483d2515c55e74c1ddf76dd095b3fb1c8320b73
SHA256

0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85
SHA512

dccf8bd4b23ad28117211a2c61567ce9101e173f6feb0c6ebb885d3aaf4292b06e4dd96b97d606f396727b0f6c01384c3487e24306b74aef5243f5dec511f982
SSDEEP

384:uI4c41g5axWYwwp0G1Ls1QuCm6Ee9nlAnXX5G6ow54gmQhDLU67L2Ro0VxdaA+Yg:Kx1g5a4iNps1Qum3OIdGX

Score

10^/10

lockbit ransomware spyware stealer

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000e000000014e3d-3.dat	family_lockbit

Renames multiple (333) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2692	2704618435.scr
1988	B50D.tmp

Loads dropped DLL 3 IoCs

pid	Process
3000	0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe
3000	0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe
2692	2704618435.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	2704618435.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	2704618435.scr

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MIuB4Jpci.bmp"	2704618435.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MIuB4Jpci.bmp"	2704618435.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
1988	B50D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	2704618435.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10"	2704618435.scr

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.MIuB4Jpci	2704618435.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.MIuB4Jpci\ = "MIuB4Jpci"	2704618435.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIuB4Jpci\DefaultIcon	2704618435.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIuB4Jpci	2704618435.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIuB4Jpci\DefaultIcon\ = "C:\\ProgramData\\MIuB4Jpci.ico"	2704618435.scr

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2576	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr
2692	2704618435.scr

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeDebugPrivilege	2692	2704618435.scr
Token: 36	2692	2704618435.scr
Token: SeImpersonatePrivilege	2692	2704618435.scr
Token: SeIncBasePriorityPrivilege	2692	2704618435.scr
Token: SeIncreaseQuotaPrivilege	2692	2704618435.scr
Token: 33	2692	2704618435.scr
Token: SeManageVolumePrivilege	2692	2704618435.scr
Token: SeProfSingleProcessPrivilege	2692	2704618435.scr
Token: SeRestorePrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSystemProfilePrivilege	2692	2704618435.scr
Token: SeTakeOwnershipPrivilege	2692	2704618435.scr
Token: SeShutdownPrivilege	2692	2704618435.scr
Token: SeDebugPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeBackupPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr
Token: SeSecurityPrivilege	2692	2704618435.scr

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2692	3000	0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe	28
PID 3000 wrote to memory of 2692	3000	0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe	28
PID 3000 wrote to memory of 2692	3000	0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe	28
PID 3000 wrote to memory of 2692	3000	0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe	28
PID 2692 wrote to memory of 1988	2692	2704618435.scr	32
PID 2692 wrote to memory of 1988	2692	2704618435.scr	32
PID 2692 wrote to memory of 1988	2692	2704618435.scr	32
PID 2692 wrote to memory of 1988	2692	2704618435.scr	32
PID 2692 wrote to memory of 1988	2692	2704618435.scr	32
PID 1988 wrote to memory of 1736	1988	B50D.tmp	33
PID 1988 wrote to memory of 1736	1988	B50D.tmp	33
PID 1988 wrote to memory of 1736	1988	B50D.tmp	33
PID 1988 wrote to memory of 1736	1988	B50D.tmp	33

C:\Users\Admin\AppData\Local\Temp\0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe
"C:\Users\Admin\AppData\Local\Temp\0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\2704618435.scr
  "C:\Users\Admin\AppData\Local\Temp\2704618435.scr" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\ProgramData\B50D.tmp
    "C:\ProgramData\B50D.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B50D.tmp >> NUL
      4⤵
      PID:1736

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MIuB4Jpci.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

Filesize
129B

MD5
5b1ffba898fd15907fcfa7d0fea0daa2

SHA1
4f8e260f2d04b986bc1399e1325b1a18d10e155c

SHA256
ffa6b6edc6467b529343eb3958191aa93244b1b295131786c3afdb3cf746d36b

SHA512
d359ed3cd335afdc2a47670da65823ab515b9767c73e4137b6df8b579c4ed875d17686bdc646cc4c3e2e8a5eee152c797bd28500d6560fdd70a7452e3faf0df7

Download Submit
C:\MIuB4Jpci.README.txt

Filesize
434B

MD5
b4709a56b9d7f431da172316cda720be

SHA1
d2132f7129a7003ec4c0392f0f08cd24ea353da6

SHA256
192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

SHA512
e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
194KB

MD5
a1659d0f2012e344e97e88554821479e

SHA1
66afe55f5d85995b4881b6e5e098769e6e7d7c27

SHA256
ee168947f27918b0a5d566c779b22a5de1a014feb1feb1bc506e35745784f361

SHA512
885c564b17108e076a02b3e15e3af5fb1a13c85dcc5723392a963aedbc5bf14928404720d45308f7694166fb5ca7f6160d39cb348926b7a2edbd83c47d610229

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\GGGGGGGGGGG

Filesize
129B

MD5
449f2fab284880e08a48fbd32e40fb36

SHA1
64f1c19df4e96dd7615ecebc3998cf16a91da0a4

SHA256
3cac211ca78a8a8974129b9ac5508df683175bf162c1aa2b93ed8b569d4f0cb1

SHA512
20c22424fdf12f1783a369fc41db49a44dcb4f18db535d888037af1c0bebeb5f101632f289e1b163ddf05d3773e2548022e9a0b9ba8be48a7f68e381a40e89da

Download Submit
\ProgramData\B50D.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
\Users\Admin\AppData\Local\Temp\2704618435.scr

Filesize
194KB

MD5
e990e7571cdb06c5d0f093176cecf414

SHA1
409fc0816adbf05ac1586112044401ecb90c8022

SHA256
a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616

SHA512
9719fb45a0cd79ba8d51c3d052fe76dcb6d1b5b677a5398cc4fdbe6373d8763d2b0c3375929f41c5a0e46237b4a3f660b0b7f6a4f8a24ea47d52074da69baa64

Download Submit
memory/1988-865-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1988-864-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1988-863-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/1988-862-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/1988-861-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1988-896-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1988-895-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2692-10-0x0000000002300000-0x0000000002340000-memory.dmp

Filesize
256KB

Download