Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe
-
Size
33KB
-
MD5
ad176230757b9fd124e6c78d6faec1da
-
SHA1
0fb029bdca41f990fed81ec602c503bb00e60a1d
-
SHA256
ff5c507b0d2fa71c8103836b3af7e7300a46979cd63e5c04361e7445fcaa877c
-
SHA512
967287043853ff9a5afae5c2940246311349ebc308a57264c9f9b8b661fdc4314ef8186555579a13eb5127e32dcaddc53b48c5cf71b9ffc74d1657053b8e8e76
-
SSDEEP
768:HFOj0Pkj5ModZ4h2wd8iGjqW7AnHvtMaWRBB5sx4PC74801whP:lHE5Mod2kwd8L4qa4Bax40480KP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe -
Executes dropped EXE 1 IoCs
pid Process 4964 unlodctr.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__4d3a9b3c253d2091\unlodctr.exe:Zone.Identifier 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unlodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4360 cmd.exe 2928 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__4d3a9b3c253d2091\unlodctr.exe:Zone.Identifier 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2928 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4360 4916 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 87 PID 4916 wrote to memory of 4360 4916 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 87 PID 4916 wrote to memory of 4360 4916 2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe 87 PID 4360 wrote to memory of 2928 4360 cmd.exe 89 PID 4360 wrote to memory of 2928 4360 cmd.exe 89 PID 4360 wrote to memory of 2928 4360 cmd.exe 89 PID 4360 wrote to memory of 960 4360 cmd.exe 90 PID 4360 wrote to memory of 960 4360 cmd.exe 90 PID 4360 wrote to memory of 960 4360 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe"1⤵
- Checks computer location settings
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe" > NUL & exit2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2928
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ad176230757b9fd124e6c78d6faec1da_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__4d3a9b3c253d2091\unlodctr.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__4d3a9b3c253d2091\unlodctr.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD54682da810720f8d6eb030918bf9e95a5
SHA1f61bf402dd622accf8882e1b519bd5ac22ca6e20
SHA2564228b53ecbc98df3b6cf13d96da440c72d6479dca9f3ee72e0023aa709bf4357
SHA51232778f1cb5c596800ce9ed752dc7855c8ac7c4bb0fd6e907e2f061fc949417cb466e202b577b04435fde825f758a8bd84e448382485d443c38b7168852296572
-
Filesize
33KB
MD5ad176230757b9fd124e6c78d6faec1da
SHA10fb029bdca41f990fed81ec602c503bb00e60a1d
SHA256ff5c507b0d2fa71c8103836b3af7e7300a46979cd63e5c04361e7445fcaa877c
SHA512967287043853ff9a5afae5c2940246311349ebc308a57264c9f9b8b661fdc4314ef8186555579a13eb5127e32dcaddc53b48c5cf71b9ffc74d1657053b8e8e76