b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154

Resubmissions

13-11-2022 18:00

221113-wll9wacb66 10

22-09-2022 05:49

220922-gjgt2sabf4 10

21-09-2022 18:45

220921-xefn7aghd5 10

Analysis

max time kernel
40s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit30/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

pid process

1472 keygen.exe
1144 builder.exe
760 builder.exe
888 builder.exe
800 builder.exe
1620 builder.exe
1724 builder.exe

pid	process
1472	keygen.exe
1144	builder.exe
760	builder.exe
888	builder.exe
800	builder.exe
1620	builder.exe
1724	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 1472	1504	cmd.exe	keygen.exe
PID 1504 wrote to memory of 1472	1504	cmd.exe	keygen.exe
PID 1504 wrote to memory of 1472	1504	cmd.exe	keygen.exe
PID 1504 wrote to memory of 1472	1504	cmd.exe	keygen.exe
PID 1504 wrote to memory of 1144	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1144	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1144	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1144	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 760	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 760	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 760	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 760	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 888	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 888	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 888	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 888	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 800	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 800	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 800	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 800	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1620	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1620	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1620	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1620	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1724	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1724	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1724	1504	cmd.exe	builder.exe
PID 1504 wrote to memory of 1724	1504	cmd.exe	builder.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1472

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1144

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:760

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:888

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:800

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1620

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1724

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key
Filesize
344B

MD5
0cf778dbdc46e5312713ca80f87d11fa

SHA1
7cefdee8da3e66c9bb9b200bb2970b2817aee51a

SHA256
a2c53ba07122066aa8a6aa2e1a28b1b6ed30c104768d2919e2fdc40ecb841936

SHA512
89b4e425a0b6d5c981f08bd11fa72194bea64a9fadc7d9beae419da1eafac6ecef36d69ba779421ae9d9b22c3fe4f76f9d9587bd35ec9119cc921bb007f612dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key
Filesize
344B

MD5
c50ba2951e2b688a7f3949ffb19295f2

SHA1
3a62ebd8889e66beedcb735348420187f75b56c8

SHA256
af8a0399819e5bcf357c68be7749a28e76c6b1faf9807a660e0261395a488a0e

SHA512
815bf0b182b63f94750239989458ca2d9d644473e14b24f5d1aefe79eaedae4a261a8b192d217128105ccb99b4ef6fb32fda976dda540efa92b9675a17123d35

Download Submit
memory/760-59-0x0000000000000000-mapping.dmp

Download
memory/800-64-0x0000000000000000-mapping.dmp

Download
memory/888-62-0x0000000000000000-mapping.dmp

Download
memory/1144-56-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1620-66-0x0000000000000000-mapping.dmp

Download
memory/1724-68-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads