Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 08:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe
-
Size
37KB
-
MD5
6cfcfe00292aff1e0cf69e86e18177e3
-
SHA1
03cc72c002e0baf8d414094c14a73298188dbb17
-
SHA256
17c2284f0cbf2751ec32ab205a63d1b42b069cb80743a73da207676d7bea370b
-
SHA512
af3852ff4ad24aabdd07a06fd39a8fbc0404e061754978ba47d773011efb320b31764d1691caaa1dc4063c646f576da7ed3c7e1a79a8cc5ab1b225bffd25dccd
-
SSDEEP
768:a0cr3xNg6Aut4bE0nvNS5ZHcWh+UNj07wbLwM6jHBB9D3xfjL2x4xC7g8Qcr6j:9WpAjHIHcO+UNS8GBx3xb6x4l8Qc+j
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe -
Executes dropped EXE 1 IoCs
pid Process 3940 wecutil.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NGEN60483_32 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NGEN60483_32\ = "Service" 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__c80a7e997106d180\wecutil.exe:Zone.Identifier 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wecutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4680 cmd.exe 4876 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__c80a7e997106d180\wecutil.exe:Zone.Identifier 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4876 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe 3940 wecutil.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3176 wrote to memory of 4680 3176 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe 89 PID 3176 wrote to memory of 4680 3176 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe 89 PID 3176 wrote to memory of 4680 3176 2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe 89 PID 4680 wrote to memory of 4876 4680 cmd.exe 91 PID 4680 wrote to memory of 4876 4680 cmd.exe 91 PID 4680 wrote to memory of 4876 4680 cmd.exe 91 PID 4680 wrote to memory of 1476 4680 cmd.exe 92 PID 4680 wrote to memory of 1476 4680 cmd.exe 92 PID 4680 wrote to memory of 1476 4680 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe"1⤵
- Checks computer location settings
- Impair Defenses: Safe Mode Boot
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe" > NUL & exit2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4876
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-12_6cfcfe00292aff1e0cf69e86e18177e3_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1476
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__c80a7e997106d180\wecutil.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__c80a7e997106d180\wecutil.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3940
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Safe Mode Boot
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ab97bc0e47fb7eb75d141a4338d0acaf
SHA10c82b102dcd532db7d9a4b772ec6b71b84eabd1a
SHA2566d6816b2839b4f8c3b7020f8bdad338c382ff18a3098a762661124e10b68a1b9
SHA51221eb3df04f61230bf3f4f63038f479ea313b894ce909d18ac3957b7639361366b2db4c97eeacd8c9f32978ccd469ad477e5759f2a7803b755a95608fb51ff89b
-
Filesize
37KB
MD56cfcfe00292aff1e0cf69e86e18177e3
SHA103cc72c002e0baf8d414094c14a73298188dbb17
SHA25617c2284f0cbf2751ec32ab205a63d1b42b069cb80743a73da207676d7bea370b
SHA512af3852ff4ad24aabdd07a06fd39a8fbc0404e061754978ba47d773011efb320b31764d1691caaa1dc4063c646f576da7ed3c7e1a79a8cc5ab1b225bffd25dccd