Managed XDR

9ba6e70358b1e0488d406dc94e0dacda.virus (Lockbit) — malware analysis report

File info

Filename
9ba6e70358b1e0488d406dc94e0dacda.virus
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
305 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
209c4c7a9d431b78dcbbd81acb799bb2f00a150b
SHA256
e09165077b0ede3b5367406958bdaaa7fcdad33b121af0bd55e0cf0e304076cf
MD5
9ba6e70358b1e0488d406dc94e0dacda

Malwares

  • Lockbit

Signatures

Execution

T1059.003 cmd_ping_del: Uses cmd.exe for pausing and deletion of the original file
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file
T1070.004 cmd_ping_del: Uses cmd.exe for pausing and deletion of the original file
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name
T1070 stealth_window: A process created a hidden window
T1070.004 self_removal_command: Executes command to delete itself

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1057 process_interest: Enumerates processes
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)
T1518 locates_browser: Attempts to identify where browsers are installed
T1016.001 system_network_configuration_discovery: System network configuration discovery detected
T1497.001 antivm_queries_computername: Retrieves the computer name

Impact

T1486 modifies_files2: Cryptolocker indicators detected (500 or more files are modified)
T1486 modifies_files: Cryptolocker indicators detected (renamed 500 or more files)
T1486 ransomware_extensions: Ransomware(s) Lockbit indicators detected (specific extension is added to files)
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
T1490 wbadmin_delete_backup: Removes system backup copies using wbadmin utility
T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)
T1486 ransomware_files: Ransomware indicators detected Lockbit (creates keys and the instruction on how to unlock the files)

Other

yara_rules: Static rules
ce_info: Lockbit Configuration Data found
lockbit: Detected ransomware Lockbit
ransomware_shadowcopy: Removes volume shadow copies
ransomware_bcdedit: Runs bcdedit commands specific to ransomware
cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)
create_process_failed: Could not start the process
network_anomaly: Network anomalies occured during the analysis
unexpected_exception: Unexpected exception
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
access_recyclebin: Manipulation with recyclebin detected
origin_langid: Unconventional language of the executable file
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk

Related reports