lockbit | 69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527

General

Target

69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527.ps1
Size

590KB
MD5

e0411fcbbff0e20922d224c3ac8c811e
SHA1

1083bc3407717b9953ffe27ec8ef3f0a520fbc82
SHA256

69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527
SHA512

0555dbe49cc4ac2e432b85e847ac48113d74651f8c238329645b1bb07968d3418e92122b7750a3902793824a932647fe5c27c1c3e841a010a354d789c358eba3
SSDEEP

1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJt:cA

Score

10^/10

lockbit discovery execution ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/memory/2424-15-0x0000000010000000-0x0000000010022000-memory.dmp	family_lockbit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2424	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2424	2324	powershell.exe	32
PID 2324 wrote to memory of 2424	2324	powershell.exe	32
PID 2324 wrote to memory of 2424	2324	powershell.exe	32
PID 2324 wrote to memory of 2424	2324	powershell.exe	32
PID 2424 wrote to memory of 2772	2424	powershell.exe	34
PID 2424 wrote to memory of 2772	2424	powershell.exe	34
PID 2424 wrote to memory of 2772	2424	powershell.exe	34
PID 2424 wrote to memory of 2772	2424	powershell.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527.ps1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "2424" "960"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259456293.txt

Filesize
1KB

MD5
818fd551637b29f3e01dca0aea4e2c4a

SHA1
c2add535acbe06e2ca3d4890408673449e244f6c

SHA256
fba708a839d8903ce8a80a0569a548832b0cfc0e5e95f2b0283189ef876f6b1d

SHA512
aa24a68f8d9e0dec80e8f3a0a2bc11e2edb6e6758371c2c0357f7ab1a6271c993ea7d583f441e3564b64a26fc1527d402de731431c8fa7683cb5521ecd90a532

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LMO2X9HDUWAN6QBFX5HN.temp

Filesize
7KB

MD5
99e02484ba49c86e64d2c9f100a6262c

SHA1
0223f0d06e04e7b07b6322b5ae80223dfa3a98e8

SHA256
4f293cf6f6d67fbff424bf484ffed6b54b1bfc74ea0815c6da93d390f604ca37

SHA512
5fe09c234b02b8ccc4747697161e52678792d8854f371861f8010bde48b391cf7ebbda5b2f390082dc7f29cf584896363f1240b3818b5b58e9bab0dd53b96384

Download Submit
memory/2324-4-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

Filesize
4KB

Download
memory/2324-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2324-7-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2324-8-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-9-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-10-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-11-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-12-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-15-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing