Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe
-
Size
276KB
-
MD5
789eeeba04ac520bdf118659020cde7a
-
SHA1
333adcbc1b985154bc73b5bdbddbfff18f2468e1
-
SHA256
045ca99c9e484a973e4bd404fbbdcc6dca7573d768961123f44d8545d66cdace
-
SHA512
49e462ac567318cdb71708692b05241076ea847ca470ec296f9339698e4665cf98ee12c25f8e4469304b5e3753e77158b337a6632837663f312114e5825fe98b
-
SSDEEP
6144:jGpV1z8QtGpGGpV1z8Qcy1PSbOqslVC7nJUkhIeMIcC16V:qpVaRpPpVaxy0bOM7np+e31
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2732 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2876 verclsid.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NGEN8229_32 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NGEN8229_32\ = "Service" 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__7bfc298cb499436b\verclsid.exe:Zone.Identifier 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language verclsid.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2732 cmd.exe 2888 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__7bfc298cb499436b\verclsid.exe:Zone.Identifier 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2888 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe 2876 verclsid.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2732 2000 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 32 PID 2000 wrote to memory of 2732 2000 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 32 PID 2000 wrote to memory of 2732 2000 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 32 PID 2000 wrote to memory of 2732 2000 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 32 PID 2732 wrote to memory of 2888 2732 cmd.exe 34 PID 2732 wrote to memory of 2888 2732 cmd.exe 34 PID 2732 wrote to memory of 2888 2732 cmd.exe 34 PID 2732 wrote to memory of 2888 2732 cmd.exe 34 PID 2732 wrote to memory of 2636 2732 cmd.exe 35 PID 2732 wrote to memory of 2636 2732 cmd.exe 35 PID 2732 wrote to memory of 2636 2732 cmd.exe 35 PID 2732 wrote to memory of 2636 2732 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe"1⤵
- Impair Defenses: Safe Mode Boot
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe" > NUL & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__7bfc298cb499436b\verclsid.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__7bfc298cb499436b\verclsid.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Safe Mode Boot
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD5789eeeba04ac520bdf118659020cde7a
SHA1333adcbc1b985154bc73b5bdbddbfff18f2468e1
SHA256045ca99c9e484a973e4bd404fbbdcc6dca7573d768961123f44d8545d66cdace
SHA51249e462ac567318cdb71708692b05241076ea847ca470ec296f9339698e4665cf98ee12c25f8e4469304b5e3753e77158b337a6632837663f312114e5825fe98b