Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe
-
Size
33KB
-
MD5
ad176230757b9fd124e6c78d6faec1da
-
SHA1
0fb029bdca41f990fed81ec602c503bb00e60a1d
-
SHA256
ff5c507b0d2fa71c8103836b3af7e7300a46979cd63e5c04361e7445fcaa877c
-
SHA512
967287043853ff9a5afae5c2940246311349ebc308a57264c9f9b8b661fdc4314ef8186555579a13eb5127e32dcaddc53b48c5cf71b9ffc74d1657053b8e8e76
-
SSDEEP
768:HFOj0Pkj5ModZ4h2wd8iGjqW7AnHvtMaWRBB5sx4PC74801whP:lHE5Mod2kwd8L4qa4Bax40480KP
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2804 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2728 WerFaultSecure.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__1816ba8172d784ba\WerFaultSecure.exe:Zone.Identifier 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WerFaultSecure.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2804 cmd.exe 2852 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__1816ba8172d784ba\WerFaultSecure.exe:Zone.Identifier 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2852 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2804 2056 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 32 PID 2056 wrote to memory of 2804 2056 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 32 PID 2056 wrote to memory of 2804 2056 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 32 PID 2056 wrote to memory of 2804 2056 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 32 PID 2804 wrote to memory of 2852 2804 cmd.exe 34 PID 2804 wrote to memory of 2852 2804 cmd.exe 34 PID 2804 wrote to memory of 2852 2804 cmd.exe 34 PID 2804 wrote to memory of 2852 2804 cmd.exe 34 PID 2804 wrote to memory of 2868 2804 cmd.exe 35 PID 2804 wrote to memory of 2868 2804 cmd.exe 35 PID 2804 wrote to memory of 2868 2804 cmd.exe 35 PID 2804 wrote to memory of 2868 2804 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe"1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe" > NUL & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2852
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2868
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__1816ba8172d784ba\WerFaultSecure.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__1816ba8172d784ba\WerFaultSecure.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5ad176230757b9fd124e6c78d6faec1da
SHA10fb029bdca41f990fed81ec602c503bb00e60a1d
SHA256ff5c507b0d2fa71c8103836b3af7e7300a46979cd63e5c04361e7445fcaa877c
SHA512967287043853ff9a5afae5c2940246311349ebc308a57264c9f9b8b661fdc4314ef8186555579a13eb5127e32dcaddc53b48c5cf71b9ffc74d1657053b8e8e76