Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Resource
win10v2004-20241007-en
General
-
Target
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
-
Size
590KB
-
MD5
7e525ef64a4e27fbb325d7cb4653f0a1
-
SHA1
8d3756c9e7a78a5a7dd8fca67e7de51a9ea59a52
-
SHA256
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9
-
SHA512
ec9832d42f86fd086a929c0a5cb31d7d3839d6e5b5c8c15670c477b507a2b66f60ce438006fb11a20522c7ede600e098c3f385720191851b91d5945eb0e50372
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJs:QR
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral2/memory/3464-63-0x0000000010000000-0x0000000010022000-memory.dmp family_lockbit -
pid Process 4808 powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5028 3464 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4808 powershell.exe 4808 powershell.exe 3464 powershell.exe 3464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4808 wrote to memory of 3464 4808 powershell.exe 83 PID 4808 wrote to memory of 3464 4808 powershell.exe 83 PID 4808 wrote to memory of 3464 4808 powershell.exe 83
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 26123⤵
- Program crash
PID:5028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3464 -ip 34641⤵PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d5198d7e3f350aca580d4160e3cb0493
SHA167d8eb10aeeb2c5075a9823a5b9f6dfab84a237d
SHA256f26fac220a2f7479a976f51e6370bc525a7ae40b7e129cebfdeae42214669f70
SHA512755d2eca2a90ea0c05beeea95f3c47f54ccce11b77c2a2af886e0b86480600d4100d24c2cbbc8ba3491f5c6e175794609c85e3a0f72f44adf9f35df7930363f5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82