Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 04:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe
-
Size
37KB
-
MD5
c1e80dc69b7b74cc5eac95c315d62d83
-
SHA1
531b5886d64ce1a228ea921999fb593396943325
-
SHA256
d8791625d86dff22d527f72b69d314f9a34e88d1129e3ef1d29e040fcb433208
-
SHA512
391c48bf1110d4b02f8aa15029e362a6ee3121b37057b6dbf936dfe451ed1f4c5855f4f22edbffe8175f25fea4eaaf9e41627e28b1db6d5663554fba3d11687d
-
SSDEEP
768:ETEjmqVxAxuZY9AldyQSRA2wnXw/uaLoBB5Ux4PC74801h2w:cgxAxuW2ldyYvhauBSx40480Ow
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2628 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 gpscript.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__420614a3f561d8b9\gpscript.exe:Zone.Identifier 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2736 PING.EXE 2628 cmd.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__420614a3f561d8b9\gpscript.exe:Zone.Identifier 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2736 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2628 2352 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe 31 PID 2352 wrote to memory of 2628 2352 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe 31 PID 2352 wrote to memory of 2628 2352 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe 31 PID 2352 wrote to memory of 2628 2352 2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe 31 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2784 2628 cmd.exe 34 PID 2628 wrote to memory of 2784 2628 cmd.exe 34 PID 2628 wrote to memory of 2784 2628 cmd.exe 34 PID 2628 wrote to memory of 2784 2628 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe"1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe" > NUL & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2736
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-09-21_c1e80dc69b7b74cc5eac95c315d62d83_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__420614a3f561d8b9\gpscript.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__420614a3f561d8b9\gpscript.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5c1e80dc69b7b74cc5eac95c315d62d83
SHA1531b5886d64ce1a228ea921999fb593396943325
SHA256d8791625d86dff22d527f72b69d314f9a34e88d1129e3ef1d29e040fcb433208
SHA512391c48bf1110d4b02f8aa15029e362a6ee3121b37057b6dbf936dfe451ed1f4c5855f4f22edbffe8175f25fea4eaaf9e41627e28b1db6d5663554fba3d11687d