Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Resource
win10v2004-20241007-en
General
-
Target
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
-
Size
590KB
-
MD5
7e525ef64a4e27fbb325d7cb4653f0a1
-
SHA1
8d3756c9e7a78a5a7dd8fca67e7de51a9ea59a52
-
SHA256
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9
-
SHA512
ec9832d42f86fd086a929c0a5cb31d7d3839d6e5b5c8c15670c477b507a2b66f60ce438006fb11a20522c7ede600e098c3f385720191851b91d5945eb0e50372
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJs:QR
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/2340-15-0x0000000010000000-0x0000000010022000-memory.dmp family_lockbit -
pid Process 2532 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2340 2532 powershell.exe 31 PID 2532 wrote to memory of 2340 2532 powershell.exe 31 PID 2532 wrote to memory of 2340 2532 powershell.exe 31 PID 2532 wrote to memory of 2340 2532 powershell.exe 31 PID 2340 wrote to memory of 2728 2340 powershell.exe 33 PID 2340 wrote to memory of 2728 2340 powershell.exe 33 PID 2340 wrote to memory of 2728 2340 powershell.exe 33 PID 2340 wrote to memory of 2728 2340 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2340" "960"3⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c33244966e3cd922db200ccc434a2bc5
SHA12cf35635dcbd86d8adfd77df44bfb2bb1fc77477
SHA25694098bc63d3719c7fc7de078a7563aec59f1a122c56eb9adaa7e48969ab88623
SHA5124fff90bc57234f1090dda446668ddcafc2a92b15a47cdbfc13c9e2147e8a3cfa6c8f639ce3db520efbbf5a466241206b21d8fb3222c80e41e87eff2b092ac8dd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VKCA9QUX420MLAIUYM4P.temp
Filesize7KB
MD55bd004d2e41674670d207c6f53822342
SHA19bdc65656acec03a919f7e56f02d0809280b47af
SHA256594388f83296b877dcaa9abd4bf78e0ab31b82f4faaf5a5c88cae2f132a9d269
SHA512d3a5b5a2c9a5433a0d938b88cabc5a5726fed4837783b10d74b7828f64338ace0d3b8bec41e86e560f09111dbbf8d809363288b9a54f395735fa0c13b79f4aa4