Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
Resource
win10v2004-20241007-en
General
-
Target
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
-
Size
590KB
-
MD5
2b84852065e28974e4081826ff09ddc1
-
SHA1
fa70a7f2a36ba300f57b130a31ef1ab66a1397ac
-
SHA256
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30
-
SHA512
63f44bc545a7b7da355903f99dcbfd0033756f41717bc9b210bdc2094f97c2efa68dee814d03e392d94e579ae170e16ef447f86b07363b1fedffa7c7d3b54ce1
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJw:cR
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/2884-15-0x0000000010000000-0x0000000010022000-memory.dmp family_lockbit -
pid Process 2208 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2884 2208 powershell.exe 31 PID 2208 wrote to memory of 2884 2208 powershell.exe 31 PID 2208 wrote to memory of 2884 2208 powershell.exe 31 PID 2208 wrote to memory of 2884 2208 powershell.exe 31 PID 2884 wrote to memory of 2696 2884 powershell.exe 33 PID 2884 wrote to memory of 2696 2884 powershell.exe 33 PID 2884 wrote to memory of 2696 2884 powershell.exe 33 PID 2884 wrote to memory of 2696 2884 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2884" "860"3⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD578965e1e54602dceeb0a6de4ca31d11f
SHA1c6a3bd8dacc31dc23fec7cf203e1630130619251
SHA256609bdee47bf11ba8d8cb4784dd85c93d785f551d69b29f35623afd1dc3b967cd
SHA512826b25eef58061cb5e2e3ee464f1d3698ebafbbe9e76a0704ad2d563eb17a70adb1e2cb9a529b71fcafa9758e2043661255e55a6b38fd6fb5e6dde49f61080d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X51OSC2CVDXVF8NYKPRV.temp
Filesize7KB
MD5b3dc452f11282263846e14b9cb46be60
SHA1688ce6575e377f1377d6c9c0826ed08b03124436
SHA25645d11ec212583856b608b941f841c67100976de5484fa811f17877ed964be023
SHA5124bdb3463a92f32d10ed0adc0731e47647f49649098275b6cc5c97b81b658ee2db17d294c272715db8185ad9e2b4a5516482072d0bd1a2d0054d67f5f3775c8c8