Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-09-2022 11:22
Behavioral task
behavioral1
Sample
LockBit30/Build.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
LockBit30/Build.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
LockBit30/builder.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
LockBit30/builder.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
LockBit30/keygen.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
LockBit30/keygen.exe
Resource
win10v2004-20220812-en
General
-
Target
LockBit30/Build.bat
-
Size
741B
-
MD5
4e46e28b2e61643f6af70a8b19e5cb1f
-
SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
-
SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
-
SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
Malware Config
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
pid Process 1588 keygen.exe 1728 builder.exe 1508 builder.exe 1740 builder.exe 1348 builder.exe 988 builder.exe 1992 builder.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1588 2000 cmd.exe 28 PID 2000 wrote to memory of 1588 2000 cmd.exe 28 PID 2000 wrote to memory of 1588 2000 cmd.exe 28 PID 2000 wrote to memory of 1588 2000 cmd.exe 28 PID 2000 wrote to memory of 1728 2000 cmd.exe 29 PID 2000 wrote to memory of 1728 2000 cmd.exe 29 PID 2000 wrote to memory of 1728 2000 cmd.exe 29 PID 2000 wrote to memory of 1728 2000 cmd.exe 29 PID 2000 wrote to memory of 1508 2000 cmd.exe 30 PID 2000 wrote to memory of 1508 2000 cmd.exe 30 PID 2000 wrote to memory of 1508 2000 cmd.exe 30 PID 2000 wrote to memory of 1508 2000 cmd.exe 30 PID 2000 wrote to memory of 1740 2000 cmd.exe 31 PID 2000 wrote to memory of 1740 2000 cmd.exe 31 PID 2000 wrote to memory of 1740 2000 cmd.exe 31 PID 2000 wrote to memory of 1740 2000 cmd.exe 31 PID 2000 wrote to memory of 1348 2000 cmd.exe 32 PID 2000 wrote to memory of 1348 2000 cmd.exe 32 PID 2000 wrote to memory of 1348 2000 cmd.exe 32 PID 2000 wrote to memory of 1348 2000 cmd.exe 32 PID 2000 wrote to memory of 988 2000 cmd.exe 33 PID 2000 wrote to memory of 988 2000 cmd.exe 33 PID 2000 wrote to memory of 988 2000 cmd.exe 33 PID 2000 wrote to memory of 988 2000 cmd.exe 33 PID 2000 wrote to memory of 1992 2000 cmd.exe 34 PID 2000 wrote to memory of 1992 2000 cmd.exe 34 PID 2000 wrote to memory of 1992 2000 cmd.exe 34 PID 2000 wrote to memory of 1992 2000 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exekeygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exebuilder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:988
-
-
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1992
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD583e234fa6ee3bd2cf152d41051edc19a
SHA1a43627bb23c9027aa23691d2e91c550aa569b345
SHA25674b0cd8b83915847162ae7ed20e7bb16eb892e8498d4e4256114a09bf0e3b80c
SHA512b154722ec9b48b7a968e9a3f43fe5086a89d858df66316907053ca999ae042f133286d979b7a946a341241d485c0b9e3fff5094340fdcf81078345e1590d1036
-
Filesize
344B
MD5944d8f924036fb783a9763da83bfabd4
SHA1affe367f5df58ddf15b8c8729438be2cefa70301
SHA2569e65437c93485aebd28db59715a4b1c6ed9f6d4b0ba0ea75aa5b56019b18e359
SHA5123fa0e4eb792bddacfbec9866325b7e8b277bcf5adc1da9079fd565706b1f621ba930ee8e071d6a8fa53a5b94c8001ec8aaf78e66504ce3b424af5fa8eab92a74