blackmatter | hxxps://github[.]com/3xp0rt/LockBit-Black-Builder

Resubmissions

22-09-2022 10:08

220922-l6m2ssbba9 10

21-09-2022 16:19

220921-tspx8sccdj 10

21-09-2022 15:04

220921-sfwpkscbcq 10

21-09-2022 14:54

220921-r93jjscbbk 10

Analysis

max time kernel
508s
max time network
515s
platform
windows10-2004_x64
resource
win10v2004-20220812-it
resource tags

arch:x64arch:x86image:win10v2004-20220812-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
21-09-2022 15:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/3xp0rt/LockBit-Black-Builder

Score

10^/10

blackmatter ransomware spyware stealer

Malware Config

Extracted

Path

C:\7MndmOidL.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz >>>> Your personal DECRYPTION ID: BDB1CE4E7983BFE8DD13C17C2538CFE1 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

598954663666452@exploit.im

365473292355268@thesecure.biz

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Executes dropped EXE 11 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exeLB3_pass.exeLB3.exe853F.tmpLB3Decryptor.exe

pid	process
4620	keygen.exe
2772	builder.exe
3952	builder.exe
4044	builder.exe
2368	builder.exe
4720	builder.exe
4352	builder.exe
1436	LB3_pass.exe
704	LB3.exe
976	853F.tmp
3584	LB3Decryptor.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\HideLock.tif => C:\Users\Admin\Pictures\HideLock.tif.7MndmOidL	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SendSave.raw.7MndmOidL	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertLimit.png.7MndmOidL	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\HideLock.tif.7MndmOidL	LB3.exe
File renamed	C:\Users\Admin\Pictures\SendSave.raw => C:\Users\Admin\Pictures\SendSave.raw.7MndmOidL	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertLimit.png.7MndmOidL	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\HideLock.tif.7MndmOidL	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SendSave.raw.7MndmOidL	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\ConvertLimit.png => C:\Users\Admin\Pictures\ConvertLimit.png.7MndmOidL	LB3.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

853F.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 853F.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

LB3.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini LB3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	853F.tmp

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7MndmOidL.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7MndmOidL.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

853F.tmp

pid process

976 853F.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 1436 WerFault.exe LB3_pass.exe

pid	process
976	853F.tmp

pid	pid_target	process	target process
3816	1436	WerFault.exe	LB3_pass.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop	LB3.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

LB3.exeLB3Decryptor.exeOpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7MndmOidL	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7MndmOidL\ = "7MndmOidL"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL\DefaultIcon\ = "C:\\ProgramData\\7MndmOidL.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\7MNDMOIDL\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.7MndmOidL	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 7 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

2820 NOTEPAD.EXE
2560 NOTEPAD.EXE
3864 NOTEPAD.EXE
768 NOTEPAD.EXE
4464 NOTEPAD.EXE
508 NOTEPAD.EXE
2792 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4488 vlc.exe

pid	process
2820	NOTEPAD.EXE
2560	NOTEPAD.EXE
3864	NOTEPAD.EXE
768	NOTEPAD.EXE
4464	NOTEPAD.EXE
508	NOTEPAD.EXE
2792	NOTEPAD.EXE

pid	process
4488	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeLB3.exe

pid	process
3816	chrome.exe
3816	chrome.exe
2896	chrome.exe
2896	chrome.exe
852	chrome.exe
852	chrome.exe
752	chrome.exe
752	chrome.exe
2808	chrome.exe
2808	chrome.exe
852	chrome.exe
852	chrome.exe
4536	chrome.exe
4536	chrome.exe
4596	chrome.exe
4596	chrome.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe
704	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exevlc.exe

pid process

3508 OpenWith.exe
4488 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2896 chrome.exe
2896 chrome.exe
2896 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeLB3.exe

description	pid	process
Token: SeRestorePrivilege	1028	7zG.exe
Token: 35	1028	7zG.exe
Token: SeSecurityPrivilege	1028	7zG.exe
Token: SeSecurityPrivilege	1028	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeDebugPrivilege	704	LB3.exe
Token: 36	704	LB3.exe
Token: SeImpersonatePrivilege	704	LB3.exe
Token: SeIncBasePriorityPrivilege	704	LB3.exe
Token: SeIncreaseQuotaPrivilege	704	LB3.exe
Token: 33	704	LB3.exe
Token: SeManageVolumePrivilege	704	LB3.exe
Token: SeProfSingleProcessPrivilege	704	LB3.exe
Token: SeRestorePrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSystemProfilePrivilege	704	LB3.exe
Token: SeTakeOwnershipPrivilege	704	LB3.exe
Token: SeShutdownPrivilege	704	LB3.exe
Token: SeDebugPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeBackupPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe
Token: SeSecurityPrivilege	704	LB3.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

chrome.exe7zG.exevlc.exe

pid	process
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
1028	7zG.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
4488	vlc.exe
4488	vlc.exe
4488	vlc.exe
4488	vlc.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exevlc.exe

pid	process
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
4488	vlc.exe
4488	vlc.exe
4488	vlc.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

OpenWith.exeLB3Decryptor.exevlc.exeLogonUI.exe

pid	process
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3584	LB3Decryptor.exe
4488	vlc.exe
1296	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2896 wrote to memory of 4972	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4972	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 1080	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 3816	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 3816	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2280	2896	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/3xp0rt/LockBit-Black-Builder
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedf234f50,0x7ffedf234f60,0x7ffedf234f70
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4260 /prefetch:8
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
2⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4224

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LockBit30\" -spe -an -ai#7zMap9867:74:7zEvent16933
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit30\Build.bat" "
1⤵
PID:3996

C:\Users\Admin\Desktop\LockBit30\keygen.exe
keygen -path C:\Users\Admin\Desktop\LockBit30\Build -pubkey pub.key -privkey priv.key
2⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type dec -privkey C:\Users\Admin\Desktop\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
2⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_Rundll32.dll
2⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_Rundll32_pass.dll
2⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\DECRYPTION_ID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\Password_dll.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2792

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2820

C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 280
2⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1436 -ip 1436
1⤵
PID:1240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\pub.key
2⤵
- Opens file in notepad (likely ransom note)
PID:3864

C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\ProgramData\853F.tmp
"C:\ProgramData\853F.tmp"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\853F.tmp >> NUL
3⤵
PID:5004

C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SaveComplete.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:768

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SuspendExport.m4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RestartBackup.css
1⤵
- Opens file in notepad (likely ransom note)
PID:4464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\AAAAAAAAAAA
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\BBBBBBBBBBB
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\CCCCCCCCCCC
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\DDDDDDDDDDD
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\EEEEEEEEEEE
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\FFFFFFFFFFF
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\GGGGGGGGGGG
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\HHHHHHHHHHH
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\IIIIIIIIIII
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\JJJJJJJJJJJ
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\KKKKKKKKKKK
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\LLLLLLLLLLL
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\MMMMMMMMMMM
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\NNNNNNNNNNN
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\OOOOOOOOOOO
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\PPPPPPPPPPP
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\QQQQQQQQQQQ
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\RRRRRRRRRRR
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\SSSSSSSSSSS
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\TTTTTTTTTTT
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\UUUUUUUUUUU
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\VVVVVVVVVVV
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\WWWWWWWWWWW
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini
Filesize
129B

MD5
830198dd3f169d41310015015afa5763

SHA1
33cfd18395748f855e842fe948444ff000d2c143

SHA256
c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494

SHA512
c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build.bat
Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\DECRYPTION_ID.txt
Filesize
16B

MD5
df882b5d8d6bb9a10eef0489b19ab8f0

SHA1
bd23d8d8effce7ede9be86b8672d843520cd51d0

SHA256
767c1443950e9c293eb98411faa9cffd043e0115c050572e5c3838eda05f4b34

SHA512
2951a368b9bdeb81a2492a40d2abd49f32dbbdb9f1950a6038c0796342b2d05029200eb3ca9557321db9731f9a51931499263f3788aa5ed93f3d176da247858b

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
Filesize
153KB

MD5
f7cb62641b7958a73fb2fd84a24a223a

SHA1
37de3259b2b780e1af447c44476f1226f1857216

SHA256
7549f1fdad2d362e6b9aeedce9a7690c2c9bcf7d07044e707f7a1ecef6e65c7f

SHA512
2a27b6adad1256783e868fff8a48b26fa0c2f9931b1ab70d75a897dc7bfcd7e5a33a433807f605f760dfa292905f97ef19b58b8ac65ac8f0403b542d35a4f114

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
Filesize
153KB

MD5
f7cb62641b7958a73fb2fd84a24a223a

SHA1
37de3259b2b780e1af447c44476f1226f1857216

SHA256
7549f1fdad2d362e6b9aeedce9a7690c2c9bcf7d07044e707f7a1ecef6e65c7f

SHA512
2a27b6adad1256783e868fff8a48b26fa0c2f9931b1ab70d75a897dc7bfcd7e5a33a433807f605f760dfa292905f97ef19b58b8ac65ac8f0403b542d35a4f114

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
Filesize
149KB

MD5
45caaa163205f69ff7b2a77aabd11e23

SHA1
63945e8ba9ca0df17c6cc2ef2488a12c2adde36d

SHA256
22d00c4b20e2be1d2c5025fe9328d33edd8daaf8ccaf63b3fe0ee31696a4398d

SHA512
19efe6a6f7f79889d388c6068e9d8a8c443a2f903612ab9c70948f66db37b3eb9d76b39f747a1dc651cc4542cb5c41b7d6a4768d650159c6478434b5e4ceb1eb

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
Filesize
149KB

MD5
45caaa163205f69ff7b2a77aabd11e23

SHA1
63945e8ba9ca0df17c6cc2ef2488a12c2adde36d

SHA256
22d00c4b20e2be1d2c5025fe9328d33edd8daaf8ccaf63b3fe0ee31696a4398d

SHA512
19efe6a6f7f79889d388c6068e9d8a8c443a2f903612ab9c70948f66db37b3eb9d76b39f747a1dc651cc4542cb5c41b7d6a4768d650159c6478434b5e4ceb1eb

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\Password_dll.txt
Filesize
1KB

MD5
b0cc1e3eafa3176bf20c304035fd30f3

SHA1
5294064911b8bec791438b2ac2c9ba15acb87f11

SHA256
c4f7358e9d412f164fe1ab18f6f6e428a7dd33edb7072e06f2e6de739c23acf2

SHA512
ce715da927e84f5893ae203d597aa931cfb40a68e536fc89ca97f15bbea5408ff5df441ed3bc8b057257d86a8666713ad03444853b6e45f663205087c6ab3e1e

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt
Filesize
2KB

MD5
7e6d3c85f5a8b3a604dd998845761026

SHA1
c95ba7f7eb0c11ffe71859f0236df44958208bfd

SHA256
2d7a80435de7c8f543942ea163aef9b2e10689682b782ac1641b690f22d03469

SHA512
aeb576340a6be9d8ea54365893e1f0a93a339dbef25f62885341f7b84c2d034f0f47c0a1e346cc47bf7e0b0154560770a3838a0e99629d8fc975ca8253dc1535

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\priv.key
Filesize
344B

MD5
52696bd99131f7082457051d9f442524

SHA1
fb0142a0e88b748ce56ca05a5968eb5182e45feb

SHA256
9473748830c66724655bcc0e8feb6f92d7b1569e7a2c375b934af5cb1350576a

SHA512
16612e1989a15e9dc5066bd4ef9a22a612bf927a604db6014f46620761388c3dd295b42d4528eeca3f2efe7e3458b208d3aa56bbd4317e0958608cbe96087380

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\pub.key
Filesize
344B

MD5
e86a924d3ee87a3394cd7a5586b8698b

SHA1
2a0e35bb929a7142be57c4c78a20630edddb8c78

SHA256
612af64d4e0afa6cd917f0778028a945043daae732200f2b5aab136ec79c07aa

SHA512
9b9ee6178e966412240784dad1d624bfd03fb298a3f06490f99716cd1d6eee355906e631dd23603f97b19a68a8888b322f01b1475644a80cdb581ae38dbcd53a

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe
Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\config.json
Filesize
8KB

MD5
a6ba7b662de10b45ebe5b6b7edaa62a9

SHA1
f3ed67bdaef070cd5a213b89d53c5b8022d6f266

SHA256
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

SHA512
7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

Download Submit
C:\Users\Admin\Desktop\LockBit30\keygen.exe
Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\Desktop\LockBit30\keygen.exe
Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
\??\pipe\crashpad_2896_JQWAIHVZOXEUVWHU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/976-187-0x0000000000000000-mapping.dmp

Download
memory/976-188-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1436-159-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-148-0x0000000000000000-mapping.dmp

Download
memory/2772-138-0x0000000000000000-mapping.dmp

Download
memory/3864-160-0x0000000000000000-mapping.dmp

Download
memory/3952-143-0x0000000000000000-mapping.dmp

Download
memory/4044-146-0x0000000000000000-mapping.dmp

Download
memory/4352-152-0x0000000000000000-mapping.dmp

Download
memory/4620-135-0x0000000000000000-mapping.dmp

Download
memory/4720-150-0x0000000000000000-mapping.dmp

Download
memory/5004-189-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads