d1b5c11b4e2fa35dca4221ef9b8e097b987c159fd52a9eae88fd96d54f78d5ed

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22-09-2022 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit3Builder/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
1256	keygen.exe
1132	builder.exe
2020	builder.exe
580	builder.exe
432	builder.exe
1912	builder.exe
468	builder.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1704	chrome.exe
1728	chrome.exe
1728	chrome.exe
2484	chrome.exe
2572	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1508	AUDIODG.EXE
Token: 33	1508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1508	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1256	1700	cmd.exe	29
PID 1700 wrote to memory of 1256	1700	cmd.exe	29
PID 1700 wrote to memory of 1256	1700	cmd.exe	29
PID 1700 wrote to memory of 1256	1700	cmd.exe	29
PID 1700 wrote to memory of 1132	1700	cmd.exe	30
PID 1700 wrote to memory of 1132	1700	cmd.exe	30
PID 1700 wrote to memory of 1132	1700	cmd.exe	30
PID 1700 wrote to memory of 1132	1700	cmd.exe	30
PID 1700 wrote to memory of 2020	1700	cmd.exe	31
PID 1700 wrote to memory of 2020	1700	cmd.exe	31
PID 1700 wrote to memory of 2020	1700	cmd.exe	31
PID 1700 wrote to memory of 2020	1700	cmd.exe	31
PID 1700 wrote to memory of 580	1700	cmd.exe	32
PID 1700 wrote to memory of 580	1700	cmd.exe	32
PID 1700 wrote to memory of 580	1700	cmd.exe	32
PID 1700 wrote to memory of 580	1700	cmd.exe	32
PID 1700 wrote to memory of 432	1700	cmd.exe	33
PID 1700 wrote to memory of 432	1700	cmd.exe	33
PID 1700 wrote to memory of 432	1700	cmd.exe	33
PID 1700 wrote to memory of 432	1700	cmd.exe	33
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 468	1700	cmd.exe	35
PID 1700 wrote to memory of 468	1700	cmd.exe	35
PID 1700 wrote to memory of 468	1700	cmd.exe	35
PID 1700 wrote to memory of 468	1700	cmd.exe	35
PID 1728 wrote to memory of 2024	1728	chrome.exe	40
PID 1728 wrote to memory of 2024	1728	chrome.exe	40
PID 1728 wrote to memory of 2024	1728	chrome.exe	40
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41
PID 1728 wrote to memory of 1564	1728	chrome.exe	41

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:580
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:432
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:468

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5e64f50,0x7fef5e64f60,0x7fef5e64f70
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1128 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2684 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=772 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3028 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3688 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6014726816422540960,12406759251577646153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\priv.key

Filesize
344B

MD5
0ef27052315c3661948bb3c1f1f2c62e

SHA1
241f9d021f599124c4cfd667c2b9f93dc6698c4a

SHA256
10769697ec26cb48b2991381efa804c42945e41f9f2f9ee84567c3268bc4a2a9

SHA512
6ba7dfbaf3acd102ff133db76def772ea28e4412110c7d4ded19f04ea2df743e8acf29420bf663dd0a0338988e99fd15c23c5d2c65ef00375a4822da66fcd9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit3Builder\Build\pub.key

Filesize
344B

MD5
24564db6d0c2b2e8ddecf94c7f9a506d

SHA1
5bd166703057932ea7e1fc1f13fdb635f199e471

SHA256
953b9773f087f4f4cb8c11bf6927da1b863dd6f4bacc15b0a630b8371c16eba4

SHA512
45856c87211aea06d83d76322aae017a4d357a01f089746621f34feb19a3ad4a757678ec60d6b62db5743ef0315d4a0c9c759cc3ef9a10c93750f3e0f6085569

Download Submit
memory/1256-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1652-70-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download