Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe
-
Size
32KB
-
MD5
fdb339d6f10e4a15ac27fdd8f78883ea
-
SHA1
401c4e1cbf2f2223477c2bbd61b33f8af2146fcd
-
SHA256
d9a4b71fe192498302d03c778811ddfe3c8433222ce9ab4fc54111724db9fabd
-
SHA512
f8f42384a58de709e4fd4d3693e17f8e1b62c24c80027320fe06403884619f17a21c9ed84f0c523b01b9cb45ad9349a3f37089677c21b68eec120a80a009743f
-
SSDEEP
768:xF2jccRV0SOZ4Okd5uIuEnMAnHw7waN8BB5Ix4PC74801X5:HyV0SO2Okd5uQBrakBGx40480x5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe -
Executes dropped EXE 1 IoCs
pid Process 2016 wecutil.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__35a050ecd74d48ec\wecutil.exe:Zone.Identifier 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wecutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3148 cmd.exe 3556 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__35a050ecd74d48ec\wecutil.exe:Zone.Identifier 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3556 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 212 wrote to memory of 3148 212 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 88 PID 212 wrote to memory of 3148 212 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 88 PID 212 wrote to memory of 3148 212 2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe 88 PID 3148 wrote to memory of 3556 3148 cmd.exe 90 PID 3148 wrote to memory of 3556 3148 cmd.exe 90 PID 3148 wrote to memory of 3556 3148 cmd.exe 90 PID 3148 wrote to memory of 4776 3148 cmd.exe 93 PID 3148 wrote to memory of 4776 3148 cmd.exe 93 PID 3148 wrote to memory of 4776 3148 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe"1⤵
- Checks computer location settings
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe" > NUL & exit2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3556
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-02_fdb339d6f10e4a15ac27fdd8f78883ea_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4776
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__35a050ecd74d48ec\wecutil.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__35a050ecd74d48ec\wecutil.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5f502027646bc70fbd91ecbccd9f32b53
SHA1626faac31b071e82ba1cc4cb595280123cf8915e
SHA256e98619b112b000349146aa331a7db6926d67c25ab95ce41bc0d4a772afee44a7
SHA5123a244b23dc448f4d9a5c06fb06cc9f4d90659425b69a36ec6af46a9f41334b7043dbe44ac376bea77955ed5dfd47ed38782842522d235976b119ff43ff440f5e
-
Filesize
32KB
MD5fdb339d6f10e4a15ac27fdd8f78883ea
SHA1401c4e1cbf2f2223477c2bbd61b33f8af2146fcd
SHA256d9a4b71fe192498302d03c778811ddfe3c8433222ce9ab4fc54111724db9fabd
SHA512f8f42384a58de709e4fd4d3693e17f8e1b62c24c80027320fe06403884619f17a21c9ed84f0c523b01b9cb45ad9349a3f37089677c21b68eec120a80a009743f