Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe
-
Size
32KB
-
MD5
fdb339d6f10e4a15ac27fdd8f78883ea
-
SHA1
401c4e1cbf2f2223477c2bbd61b33f8af2146fcd
-
SHA256
d9a4b71fe192498302d03c778811ddfe3c8433222ce9ab4fc54111724db9fabd
-
SHA512
f8f42384a58de709e4fd4d3693e17f8e1b62c24c80027320fe06403884619f17a21c9ed84f0c523b01b9cb45ad9349a3f37089677c21b68eec120a80a009743f
-
SSDEEP
768:xF2jccRV0SOZ4Okd5uIuEnMAnHw7waN8BB5Ix4PC74801X5:HyV0SO2Okd5uQBrakBGx40480x5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2632 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2948 odbcad32.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__c1fe42e4a0773d49\odbcad32.exe:Zone.Identifier 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2632 cmd.exe 2492 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__c1fe42e4a0773d49\odbcad32.exe:Zone.Identifier 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2492 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2632 2792 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 29 PID 2792 wrote to memory of 2632 2792 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 29 PID 2792 wrote to memory of 2632 2792 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 29 PID 2792 wrote to memory of 2632 2792 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 29 PID 2632 wrote to memory of 2492 2632 cmd.exe 31 PID 2632 wrote to memory of 2492 2632 cmd.exe 31 PID 2632 wrote to memory of 2492 2632 cmd.exe 31 PID 2632 wrote to memory of 2492 2632 cmd.exe 31 PID 2632 wrote to memory of 272 2632 cmd.exe 32 PID 2632 wrote to memory of 272 2632 cmd.exe 32 PID 2632 wrote to memory of 272 2632 cmd.exe 32 PID 2632 wrote to memory of 272 2632 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe"1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe" > NUL & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2492
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:272
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__c1fe42e4a0773d49\odbcad32.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__c1fe42e4a0773d49\odbcad32.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD51a2a30f9e4b787c05789f2019ba50305
SHA1256d8e5435c198b7699bcc7dd86836d0a5b934e4
SHA2560636f80c829fbc99006b2e3184ec916961dedf8774e7cd90d25d9215fc682732
SHA512c5124a263cb4c284d85d4b88317119c824e69ae1a7092bd8396ead8ae4740402ef120f61f8892444e10c7fdc3df4f8bdcb8d44c080dd9f1ab39b1521d9634110
-
Filesize
32KB
MD5fdb339d6f10e4a15ac27fdd8f78883ea
SHA1401c4e1cbf2f2223477c2bbd61b33f8af2146fcd
SHA256d9a4b71fe192498302d03c778811ddfe3c8433222ce9ab4fc54111724db9fabd
SHA512f8f42384a58de709e4fd4d3693e17f8e1b62c24c80027320fe06403884619f17a21c9ed84f0c523b01b9cb45ad9349a3f37089677c21b68eec120a80a009743f