c67a559f647827352065df48a763a36a09853b6da778aa712c64381d72358e21

General

Target

2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe
Size

32KB
MD5

da82ec5fc0336a85b8d14e5f41ae4396
SHA1

7d780bd434ffbc86273799f5a6e2d352ae539efb
SHA256

c67a559f647827352065df48a763a36a09853b6da778aa712c64381d72358e21
SHA512

f594e0cc53dfa41e6bd7eef7df8c8e8ef06f4611add118b929c5caf4789dbd60e51a4f0fc03f2fad96c8835f2ce1645f81505cca45eb988b29d75214b2729e9e
SSDEEP

768:JF2jccRV0SOZ4Okd5uIuEnMAnHw7waN8BB5Ix4PC74801Cki:vyV0SO2Okd5uQBrakBGx40480Yki

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe

Executes dropped EXE 1 IoCs

pid	Process
5108	odbcconf.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\v2.0_2.0.0.0__f755d5fb3729b0cc\odbcconf.exe:Zone.Identifier	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odbcconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3284	cmd.exe
976	PING.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\v2.0_2.0.0.0__f755d5fb3729b0cc\odbcconf.exe:Zone.Identifier	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
976	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3284	1260	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe	83
PID 1260 wrote to memory of 3284	1260	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe	83
PID 1260 wrote to memory of 3284	1260	2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe	83
PID 3284 wrote to memory of 976	3284	cmd.exe	85
PID 3284 wrote to memory of 976	3284	cmd.exe	85
PID 3284 wrote to memory of 976	3284	cmd.exe	85
PID 3284 wrote to memory of 1928	3284	cmd.exe	86
PID 3284 wrote to memory of 1928	3284	cmd.exe	86
PID 3284 wrote to memory of 1928	3284	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe"
1⤵
- Checks computer location settings
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe" > NUL & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:976
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-09-28_da82ec5fc0336a85b8d14e5f41ae4396_lockbit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928

C:\ProgramData\Microsoft\v2.0_2.0.0.0__f755d5fb3729b0cc\odbcconf.exe
C:\ProgramData\Microsoft\v2.0_2.0.0.0__f755d5fb3729b0cc\odbcconf.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp

Filesize
32KB

MD5
da82ec5fc0336a85b8d14e5f41ae4396

SHA1
7d780bd434ffbc86273799f5a6e2d352ae539efb

SHA256
c67a559f647827352065df48a763a36a09853b6da778aa712c64381d72358e21

SHA512
f594e0cc53dfa41e6bd7eef7df8c8e8ef06f4611add118b929c5caf4789dbd60e51a4f0fc03f2fad96c8835f2ce1645f81505cca45eb988b29d75214b2729e9e

Download Submit

Analysis

Sharing