Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe
-
Size
113KB
-
MD5
f018e2b0f1ca22198aaab119c78af25b
-
SHA1
39e5b12e5a1a606b6674b1d29ddd385877282bdd
-
SHA256
f9c7087bff99faedb979af23c711502c46c0899ec3299237c76b9e1efa48514f
-
SHA512
5ca081392c96abc4ff38ee36197171f074835c258884a6222063beea1914d00c62fe7977c2a0fa064dea27c7edaec4c76d0fdc0c36ef05a19e2b5235de59db79
-
SSDEEP
3072:nAxuW+dDvUuBSx40480b9q7nYniRrxVJ0NxylZVVAIf7GVVVrzpDWtbO/3Xb:ni47Uu04809q7nkiRrxKylZVVAIf7GV7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3000 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2856 certutil.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__b2f5d0a268ef7601\certutil.exe:Zone.Identifier 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3000 cmd.exe 3016 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\v2.0_2.0.0.0__b2f5d0a268ef7601\certutil.exe:Zone.Identifier 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3016 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1664 wrote to memory of 3000 1664 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe 32 PID 1664 wrote to memory of 3000 1664 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe 32 PID 1664 wrote to memory of 3000 1664 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe 32 PID 1664 wrote to memory of 3000 1664 2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe 32 PID 3000 wrote to memory of 3016 3000 cmd.exe 34 PID 3000 wrote to memory of 3016 3000 cmd.exe 34 PID 3000 wrote to memory of 3016 3000 cmd.exe 34 PID 3000 wrote to memory of 3016 3000 cmd.exe 34 PID 3000 wrote to memory of 3040 3000 cmd.exe 35 PID 3000 wrote to memory of 3040 3000 cmd.exe 35 PID 3000 wrote to memory of 3040 3000 cmd.exe 35 PID 3000 wrote to memory of 3040 3000 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe"1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe" > NUL & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-13_f018e2b0f1ca22198aaab119c78af25b_lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
C:\ProgramData\Microsoft\v2.0_2.0.0.0__b2f5d0a268ef7601\certutil.exeC:\ProgramData\Microsoft\v2.0_2.0.0.0__b2f5d0a268ef7601\certutil.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5f018e2b0f1ca22198aaab119c78af25b
SHA139e5b12e5a1a606b6674b1d29ddd385877282bdd
SHA256f9c7087bff99faedb979af23c711502c46c0899ec3299237c76b9e1efa48514f
SHA5125ca081392c96abc4ff38ee36197171f074835c258884a6222063beea1914d00c62fe7977c2a0fa064dea27c7edaec4c76d0fdc0c36ef05a19e2b5235de59db79