Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 04:15
Static task
static1
Behavioral task
behavioral1
Sample
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
Resource
win10v2004-20241007-en
General
-
Target
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
-
Size
590KB
-
MD5
2b84852065e28974e4081826ff09ddc1
-
SHA1
fa70a7f2a36ba300f57b130a31ef1ab66a1397ac
-
SHA256
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30
-
SHA512
63f44bc545a7b7da355903f99dcbfd0033756f41717bc9b210bdc2094f97c2efa68dee814d03e392d94e579ae170e16ef447f86b07363b1fedffa7c7d3b54ce1
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJw:cR
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/memory/2716-13-0x0000000010000000-0x0000000010022000-memory.dmp family_lockbit -
pid Process 1792 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1792 powershell.exe 1792 powershell.exe 1792 powershell.exe 2716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2716 1792 powershell.exe 31 PID 1792 wrote to memory of 2716 1792 powershell.exe 31 PID 1792 wrote to memory of 2716 1792 powershell.exe 31 PID 1792 wrote to memory of 2716 1792 powershell.exe 31 PID 2716 wrote to memory of 2244 2716 powershell.exe 33 PID 2716 wrote to memory of 2244 2716 powershell.exe 33 PID 2716 wrote to memory of 2244 2716 powershell.exe 33 PID 2716 wrote to memory of 2244 2716 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2716" "960"3⤵
- System Location Discovery: System Language Discovery
PID:2244
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f46adc8c400498d75723a1f2931b7d63
SHA12f0e04062360e1e24d5f07bbcea2f89447463299
SHA256cc4d78ff3a3594dddc5fc6b07478c2eb31199dc4767d3bf63cd7da0d3ed858f3
SHA512a63f580801996444856fe32787b0ee9bf1766ae48a9af4e999bffff10147c72b671d6012b8706068c71e252d35ddda4e6ad31ee638f5128d9c2e71798a78b15e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQXDQAX78YLKXUES2NCP.temp
Filesize7KB
MD538127e2003dcc007860dc255cdc6f157
SHA1c8e2ed1f61caa6a0b1aec3f36bae6665ec1a360b
SHA2567fd1d65be318d3bb6efaed72a5c8d4ee773fd5b296e4616820741d08f1d10e47
SHA51238e98e6857f43e834d4f88741c7f32772ac243b3f3c4fa464dd755a8e5370fe2b98bd74cac5b032edca87b88ca4d0c5bba162a4e4d7f9269b4bc7c44bee9f4ae