Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe
-
Size
276KB
-
MD5
789eeeba04ac520bdf118659020cde7a
-
SHA1
333adcbc1b985154bc73b5bdbddbfff18f2468e1
-
SHA256
045ca99c9e484a973e4bd404fbbdcc6dca7573d768961123f44d8545d66cdace
-
SHA512
49e462ac567318cdb71708692b05241076ea847ca470ec296f9339698e4665cf98ee12c25f8e4469304b5e3753e77158b337a6632837663f312114e5825fe98b
-
SSDEEP
6144:jGpV1z8QtGpGGpV1z8Qcy1PSbOqslVC7nJUkhIeMIcC16V:qpVaRpPpVaxy0bOM7np+e31
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
Executes dropped EXE 1 IoCs
pid Process 4276 convert.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NGEN17139_32 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NGEN17139_32\ = "Service" 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__de087c08862ce68f\convert.exe:Zone.Identifier 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language convert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3120 PING.EXE 2868 cmd.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__de087c08862ce68f\convert.exe:Zone.Identifier 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3120 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe 4276 convert.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1468 wrote to memory of 2868 1468 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 87 PID 1468 wrote to memory of 2868 1468 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 87 PID 1468 wrote to memory of 2868 1468 2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe 87 PID 2868 wrote to memory of 3120 2868 cmd.exe 89 PID 2868 wrote to memory of 3120 2868 cmd.exe 89 PID 2868 wrote to memory of 3120 2868 cmd.exe 89 PID 2868 wrote to memory of 2304 2868 cmd.exe 90 PID 2868 wrote to memory of 2304 2868 cmd.exe 90 PID 2868 wrote to memory of 2304 2868 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe"1⤵
- Checks computer location settings
- Impair Defenses: Safe Mode Boot
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe" > NUL & exit2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3120
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_789eeeba04ac520bdf118659020cde7a_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__de087c08862ce68f\convert.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__de087c08862ce68f\convert.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4276
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Safe Mode Boot
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD502fad75172caf584f3e61358be458e01
SHA1ef40aa5c3637f9b49d0582ba10e203f0c707cab1
SHA2560b44e92faa94bf9ff56871eeec00fbd4db639710a7c0c5a78fdabd2ec309738e
SHA512559d4b1cca2f61ae5cad3484c54baf293132e3a3fadf9ad1180fe36d6b9382e8a07706deb98da81eaaeb092761c0e85d1224ed24fda2dd65b2c19c839a2ff039
-
Filesize
276KB
MD5789eeeba04ac520bdf118659020cde7a
SHA1333adcbc1b985154bc73b5bdbddbfff18f2468e1
SHA256045ca99c9e484a973e4bd404fbbdcc6dca7573d768961123f44d8545d66cdace
SHA51249e462ac567318cdb71708692b05241076ea847ca470ec296f9339698e4665cf98ee12c25f8e4469304b5e3753e77158b337a6632837663f312114e5825fe98b