Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Resource
win10v2004-20241007-en
General
-
Target
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
-
Size
590KB
-
MD5
7e525ef64a4e27fbb325d7cb4653f0a1
-
SHA1
8d3756c9e7a78a5a7dd8fca67e7de51a9ea59a52
-
SHA256
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9
-
SHA512
ec9832d42f86fd086a929c0a5cb31d7d3839d6e5b5c8c15670c477b507a2b66f60ce438006fb11a20522c7ede600e098c3f385720191851b91d5945eb0e50372
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJs:QR
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/2600-13-0x0000000010000000-0x0000000010022000-memory.dmp family_lockbit -
pid Process 2128 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2128 powershell.exe 2128 powershell.exe 2128 powershell.exe 2600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2600 2128 powershell.exe 31 PID 2128 wrote to memory of 2600 2128 powershell.exe 31 PID 2128 wrote to memory of 2600 2128 powershell.exe 31 PID 2128 wrote to memory of 2600 2128 powershell.exe 31 PID 2600 wrote to memory of 2888 2600 powershell.exe 33 PID 2600 wrote to memory of 2888 2600 powershell.exe 33 PID 2600 wrote to memory of 2888 2600 powershell.exe 33 PID 2600 wrote to memory of 2888 2600 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2600" "964"3⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a351eff4761ea7c3b7e851d17643b661
SHA1fa40770c0954a2466bdbaee614b43450ad41a73d
SHA256148e87414f56b1ab4c552dd070562227ccee18fa8354434b1f64d2d865f839c9
SHA512f98a04c9e3770218fb54966616ad4d6dcf403b3b4532ff64d23dd59a3141605b14bf3350ed9d4480cd65eeb7d36808fc0b4b00f843bf69f02b3cd292ceddd710
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BFG018287N66VFT3ULU.temp
Filesize7KB
MD5d8082f93158bd9cac9d53ba7bfb20d4a
SHA12f9fee09bc20e68ad2fa0769c8dddb3e388a1672
SHA2567219dd36101251d4b64b2d09dcbc4be5ed64c09ffd0eb7fc9e1534901f1ce7aa
SHA512c2aeda7af9cb81d194eb6bd2d5c1c0783f36495af771c75c17728879c9064b1040c77714f55535f9bb2d8bfc7fb4a3449781bc467b8ab720b9cf18ff64a9e3af