blackmatter | 41a698eb7c58022975ddb16d80e444234a71b1a3dfb3e017ad80a6ac8c541063

Analysis

max time kernel
272s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lockbit 3.0.rar
Size

3.2MB
MD5

feb587492965e27725f12cebfe9c0f63
SHA1

043fa82cd179a0c0d33d958534d0ac4a266af4fe
SHA256

41a698eb7c58022975ddb16d80e444234a71b1a3dfb3e017ad80a6ac8c541063
SHA512

5fc600d9a92dacf88f25dd9dc8882d2690ac814c1d785438e5fca6fd8b209b5da994545a70470b049c4f1bf0c4f235bacb4948e684df6617ad0764f9812a5ab1
SSDEEP

49152:8qITzbEX3VLCIWxBR58XL0Ech+4YcU/4ni+XaoCsqDLH80rGUol7CUDIM7Ozc8Ov:Hkzbk+R5owfKV+X9CTv3aUoluUDrCcnx

Score

10^/10

blackmatter lockbit link pdf ransomware spyware stealer

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Path

C:\SQ7L3gXNR.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000e00000002328a-34.dat	family_lockbit
behavioral1/memory/3244-36-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/memory/3244-37-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/files/0x0009000000023299-46.dat	family_lockbit
behavioral1/files/0x00090000000232b7-64.dat	family_lockbit
behavioral1/files/0x00090000000232b9-3035.dat	family_lockbit
behavioral1/memory/5308-3036-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/memory/5308-3037-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit

Renames multiple (678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CB61.tmp

Executes dropped EXE 15 IoCs

pid	Process
3244	{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe
2356	keygen.exe
4428	builder.exe
1544	builder.exe
3916	builder.exe
4968	builder.exe
1636	builder.exe
4652	builder.exe
3308	LB3.exe
5968	builder.exe
4908	builder.exe
3288	CB61.tmp
5308	LB3_pass.exe
5488	LB3Decryptor.exe
5540	LB3Decryptor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	LB3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPa2xfuvsq5_uhx07wilmh5s_wc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPc5qykr_be_hvba_joa32443bb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPtmepegh8d6ovj359f9wobnq3d.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\SQ7L3gXNR.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\SQ7L3gXNR.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3288	CB61.tmp

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x000700000002329f-391.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4324	3244	WerFault.exe	115
5396	5308	WerFault.exe	143

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{98885545-D98B-11EE-B9F7-CE945492B8DF}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{98885543-D98B-11EE-B9F7-CE945492B8DF} = "0"	iexplore.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.SQ7L3gXNR	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.SQ7L3gXNR\ = "SQ7L3gXNR"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SQ7L3gXNR\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SQ7L3gXNR	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SQ7L3gXNR\DefaultIcon\ = "C:\\ProgramData\\SQ7L3gXNR.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4152	ONENOTE.EXE
4152	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe
3308	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	7zFM.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3308	LB3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1916	7zFM.exe
Token: 35	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeRestorePrivilege	3976	7zG.exe
Token: 35	3976	7zG.exe
Token: SeSecurityPrivilege	3976	7zG.exe
Token: SeSecurityPrivilege	3976	7zG.exe
Token: SeRestorePrivilege	4888	7zG.exe
Token: 35	4888	7zG.exe
Token: SeSecurityPrivilege	4888	7zG.exe
Token: SeSecurityPrivilege	4888	7zG.exe
Token: SeRestorePrivilege	2788	7zG.exe
Token: 35	2788	7zG.exe
Token: SeSecurityPrivilege	2788	7zG.exe
Token: SeSecurityPrivilege	2788	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeDebugPrivilege	3308	LB3.exe
Token: 36	3308	LB3.exe
Token: SeImpersonatePrivilege	3308	LB3.exe
Token: SeIncBasePriorityPrivilege	3308	LB3.exe
Token: SeIncreaseQuotaPrivilege	3308	LB3.exe
Token: 33	3308	LB3.exe
Token: SeManageVolumePrivilege	3308	LB3.exe
Token: SeProfSingleProcessPrivilege	3308	LB3.exe
Token: SeRestorePrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSystemProfilePrivilege	3308	LB3.exe
Token: SeTakeOwnershipPrivilege	3308	LB3.exe
Token: SeShutdownPrivilege	3308	LB3.exe
Token: SeDebugPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeSecurityPrivilege	3308	LB3.exe
Token: SeBackupPrivilege	3308	LB3.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1916	7zFM.exe
1916	7zFM.exe
3976	7zG.exe
4888	7zG.exe
1940	iexplore.exe
2788	7zG.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1940	iexplore.exe
1940	iexplore.exe
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
4152	ONENOTE.EXE
5488	LB3Decryptor.exe
5540	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1916	2788	cmd.exe	96
PID 2788 wrote to memory of 1916	2788	cmd.exe	96
PID 1940 wrote to memory of 5020	1940	iexplore.exe	109
PID 1940 wrote to memory of 5020	1940	iexplore.exe	109
PID 1940 wrote to memory of 5020	1940	iexplore.exe	109
PID 4340 wrote to memory of 2356	4340	cmd.exe	120
PID 4340 wrote to memory of 2356	4340	cmd.exe	120
PID 4340 wrote to memory of 2356	4340	cmd.exe	120
PID 4340 wrote to memory of 4428	4340	cmd.exe	121
PID 4340 wrote to memory of 4428	4340	cmd.exe	121
PID 4340 wrote to memory of 4428	4340	cmd.exe	121
PID 4340 wrote to memory of 1544	4340	cmd.exe	122
PID 4340 wrote to memory of 1544	4340	cmd.exe	122
PID 4340 wrote to memory of 1544	4340	cmd.exe	122
PID 4340 wrote to memory of 3916	4340	cmd.exe	123
PID 4340 wrote to memory of 3916	4340	cmd.exe	123
PID 4340 wrote to memory of 3916	4340	cmd.exe	123
PID 4340 wrote to memory of 4968	4340	cmd.exe	124
PID 4340 wrote to memory of 4968	4340	cmd.exe	124
PID 4340 wrote to memory of 4968	4340	cmd.exe	124
PID 4340 wrote to memory of 1636	4340	cmd.exe	125
PID 4340 wrote to memory of 1636	4340	cmd.exe	125
PID 4340 wrote to memory of 1636	4340	cmd.exe	125
PID 4340 wrote to memory of 4652	4340	cmd.exe	126
PID 4340 wrote to memory of 4652	4340	cmd.exe	126
PID 4340 wrote to memory of 4652	4340	cmd.exe	126
PID 3308 wrote to memory of 6016	3308	LB3.exe	132
PID 3308 wrote to memory of 6016	3308	LB3.exe	132
PID 4256 wrote to memory of 4152	4256	printfilterpipelinesvc.exe	135
PID 4256 wrote to memory of 4152	4256	printfilterpipelinesvc.exe	135
PID 3308 wrote to memory of 3288	3308	LB3.exe	136
PID 3308 wrote to memory of 3288	3308	LB3.exe	136
PID 3308 wrote to memory of 3288	3308	LB3.exe	136
PID 3308 wrote to memory of 3288	3308	LB3.exe	136
PID 3288 wrote to memory of 4180	3288	CB61.tmp	138
PID 3288 wrote to memory of 4180	3288	CB61.tmp	138
PID 3288 wrote to memory of 4180	3288	CB61.tmp	138

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lockbit 3.0.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lockbit 3.0.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1916

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LockBit-main\" -spe -an -ai#7zMap23768:82:7zEvent4048
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\" -spe -an -ai#7zMap9317:102:7zEvent31508
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}\" -spe -an -ai#7zMap9531:180:7zEvent5306
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2788

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe"
1⤵
- Executes dropped EXE
PID:3244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 264
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3244 -ip 3244
1⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:4652

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:6016
- C:\ProgramData\CB61.tmp
  "C:\ProgramData\CB61.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CB61.tmp >> NUL
    3⤵
    PID:4180

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe"
1⤵
- Executes dropped EXE
PID:5968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6096

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{56300BCA-DB8D-45B5-8131-4480B89AA89C}.xps" 133539641408930000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4152

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe"
1⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3_pass.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:5308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 220
  2⤵
  - Program crash
  PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5308 -ip 5308
1⤵
PID:5388

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5488

C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\FFFFFFFFFFF

Filesize
129B

MD5
1c0e3f3ce17c003c4517c40d00828fcc

SHA1
d8a0828c5528cebdfb61fb713c90ddff3d34c043

SHA256
99dce7d49200656b8b7ca29c26285e41fce72f8146edd0b228b310ff8db5aaf3

SHA512
5a33b0b03831347336f4078ccf79526a45d5fe639622ae199f0c7ede4d57405b6791bef01578d74dd73152d8f27cec80aa368f6ae1f2e70ba6866a2b2f5b20bf

Download Submit
C:\ProgramData\CB61.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\SQ7L3gXNR.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{354A09C7-B2A0-4AC9-897E-42DA5D760884}

Filesize
4KB

MD5
eb8214b8e291c0d470d3259e5847a07c

SHA1
51cabf4678c2110160706ea84a132286dbb0abb6

SHA256
43b48713b334168b817347e1521a4ac7f7aeab2c18874b33413cf1521e0cde82

SHA512
2dc0b7624b46ef517067e424b72ddf9614ef4fec1297e698c62d11fbc416c09b9a2d7b9a2651d4a3d9ccb08600e91accdcd7ce5f9b722484c1b72387fe8b3ba1

Download Submit
C:\Users\Admin\Desktop\LockBit-main.zip

Filesize
292KB

MD5
68309717a780fd8b4d1a1680874d3e12

SHA1
4cfe4f5bbd98fa7e966184e647910d675cdbda43

SHA256
707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

SHA512
e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main.zip

Filesize
2.9MB

MD5
8ed5b7350f54ec24d149c0340eca0c50

SHA1
dce5cee2e0b1d80ee62d1fef4a8bd08f5ed4ef5e

SHA256
2f0c8e67b946b4472cda418e6e637e66dc179e92b14f2f5d8a42115a9e61449a

SHA512
84d218dd28b6ddb0a1c1c674e6517f2a58f92af0858b0718f7012057f7ec420f115794068e37461527e4a725fee831f2a0628ecdc8640e86d58c5ee632ca2ccd

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LICENSE

Filesize
11KB

MD5
b20d5182b70fb0bf1813b93b0c786b51

SHA1
ba024a23e853aa60a7522b02fb581fa51b38d427

SHA256
1155d96c5945d7f9afebb9fa2816ec9f1d561e0b84de482ce880f7fb50be5dbe

SHA512
daf456dcfa561f993ac9aa9be8298fda07d7c4ecf9a8be2f0e250de97b5f4ab842c3153e88ccc7ec09d691bbbf3ff5b468852877d877c4daab1228a45293ec46

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build.bat

Filesize
1KB

MD5
b8f24efd1d30aac9d360db90c8717aee

SHA1
7d31372560f81ea24db57bb18d56143251a8b266

SHA256
95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed

SHA512
14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
7961947422b640808062023aa450c197

SHA1
8680000890cdbaabd762b45f46d319bdc84846c7

SHA256
1e89877b0a1e8114ebc7f2e4a47c9b1c3a744742d4a710b0f57356c59c8e6f33

SHA512
448e0dd410b4bde46c4fdf3b2b1ef568af02e8afe0555ab41d7d7999cd49467e535351ada42387b2fd27886de349cd18dfae42d6f2ef7a3bbb4ddc81a8187aaf

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\GGGGGGG

Filesize
153KB

MD5
9f0444ced98a3c501c7ce7846fd394cc

SHA1
7403a19fd3db0a6e2e01d8914fd0bad954c254b1

SHA256
d3da9e06f03c81a8f1216a5612a56bb0d762509f053e79f3a0e81bd6ca32efb2

SHA512
580aba21f236296efb75fabe12772f9b32de9f022b76ed813985a2034bd0d38fa3188634de8372d09f277d0ac34ba20f200e21f949f1fe998825d61c8f89a0fd

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3.exe

Filesize
153KB

MD5
1e8a8549db3288f5c080ee89c985c916

SHA1
5a48aabe466ab180312902a604671119f2f55a32

SHA256
09c12271213b6505f7f0b3fbe380f1057292c8193624a214dd23cac913d3f715

SHA512
3b09291f91f120d3c61fd44d7d231aea1643aa24e2536d09aae01ff0a026ec44cebf6b9426cae3e1812a8fc294e224ccddccf0feba5fce5e880243d92ac1e0e4

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3Decryptor.exe

Filesize
54KB

MD5
36e888f3d872555d39d7eed256e31c4b

SHA1
d2154cbde8dc5c6cea78b2c7643711d564c97de1

SHA256
de039714d50dddc16e255bba5ee4c0547267b02e7493959df29d781671060c1d

SHA512
98adfe5eba1144ac4fa4ab3fdfb0e8c60bb207b2278dc3f2263d4595706af9c2b4acb069f0951d36ba24080d6ccf46d4b4713c06be8262eca7fe899482956f26

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\LB3_pass.exe

Filesize
149KB

MD5
acc1ccc645ae31ed4571a293ff3470a6

SHA1
3c5aa0a49ec984c6d233c4dff7bcec7ee7982150

SHA256
61d405e2a29b322c0d763970c714a6227e82fa68801e46f295c9168f4cddf38e

SHA512
e3c3c412d1d06c168fcd140e93f1f0074345343bc945aadb58e8f132fe2c1a13e41ab7671e96e32a96f5b081aa70d8a566c79884f5382b3b650d8b8c9d4bc6a1

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\Password_dll.txt

Filesize
2KB

MD5
0068165c88af900fca799278764a61e1

SHA1
32dee320062a3e8121d59ff1c58a49e500cfdef7

SHA256
ad1dadba5a0db1755c554c156168cfcc9f15695cb46ecb891ac8f77611028ca4

SHA512
f2cec6759696a2a8040fa9c6cb8b667f80ede70ee9792e398b50008f036d05d26016c518d0ee51cc36cc90904c57966117a54434abb09a4797caab6d9427daae

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\Password_exe.txt

Filesize
2KB

MD5
e5a65abd04773072632d1af3ac2a7deb

SHA1
59256955e399a7c7998897171688341cd699b526

SHA256
3aa2aacb9b38bfd61fc952a2776dcdc15407eab46d388d569b6d4c358026f4e6

SHA512
733c0be9b2d830705a0c741c7aeba3daebbee0e1e9ad016a8b08bb7c9e1304603ffb805d2fbabb8bf5f49fe6b445c1dda66931380bc8902e247b580324d96330

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\priv.key

Filesize
344B

MD5
22203c69ab2775fa397adeb2b3ce1531

SHA1
778a6d03170d383317a5e8611e7bc81f69a4fd43

SHA256
cf6b3a7309a2d5b1456aa763e7908e99592c43f6e3339599babac6bba532d730

SHA512
53d2bad29f6ec8a4c0ff25a975587dd0a9606ffb36f887d4b78eadefafdd7e4fc7a025c7acc3fb38781485f62b9c778ca1de6c3ff40bf2f09b1db14f26241b6d

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\Build\pub.key

Filesize
344B

MD5
47ec4ac179a24cd2b046c0804ec45e1e

SHA1
26577b422166ec21df1618a9abbb36cec45874f2

SHA256
dd3e7d9359814f8ad161b1cabf9d3f9c537de982fc8b0dfe6df15993fe37e2f0

SHA512
94cfd890c7679a8cd8236cfe06dff479dc041b07b8bf9274de124a8b5b32bb03d8e287c7dfa208b6467dd5fb43098a3f5d4e18600681da8bd3dd6eef604eaac7

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\README.md

Filesize
4KB

MD5
56339ed5cff64cac320bc3ce78993e62

SHA1
f89d770892d456b85546598d5f2c6b755de33433

SHA256
d9366a8398c63925775d6482936515073427be518e3469e392ef60ed643b7042

SHA512
715b506974eeaffbd0b630d4b68b1a67367ec1f6cd1a81b78b63899a5d184f3a87de3a3316f737949e3b57a6922e558b820e0bff397c07c26aa1e7a86adb95ba

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\config.json

Filesize
8KB

MD5
de177fa08e9b2eaa378760afd53be6b2

SHA1
a18050f9e5f2412955df4b868ffb866209d2b84a

SHA256
d121f4293160e0a39cbb184c032cd45baf1372db00cd33afb0e166ac0a60ac4c

SHA512
44f4e745013eaa7d95486c91457c23fd9694f859920766f0139cf5ca9c84ff6c82d59be9675dd1a0c7b3216464c85cf732dbbdb0e641a5e47cbbf1830f4a0a8c

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\LockBit-main\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\README.md

Filesize
275B

MD5
7af774e3d618e35ab1cdfd0307dacc6f

SHA1
b24b1a9d4100dd8da4e67f01fce0cd28ebfb5473

SHA256
62b001af44d0a02c437dcbb97194c58e6eded49c0142da70da88a31f0832dda2

SHA512
5971c2d145e29c3e6808d7b02f4c02bcdc8b9dce7b4ace0e10e34221999ab23ecb387847abc0d47b50f173a8974ee6fba53ae226dfaf099c7da0f3e537b2ed97

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\Threat Spotlight Lockbit Black 3.0 Ransomware.pdf

Filesize
648KB

MD5
c7b897fdb1194ec180606a2ae5ed85ec

SHA1
23dd451c49caada90b081289c9dadd7c29055a04

SHA256
f77ad8025cef09d968dbb95d98f7833652e48bb5ed7126597327f1568148f7cb

SHA512
75465bda529319a340ed7d65d0d668986e8ef6fbdc030b602adff577bda49aceb2850b0349fb6c02b0019211047f23030f30373bcd86a91a39a39fcb21be3c34

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.zip

Filesize
160KB

MD5
ba9ad420b3560110b323b1145212fa0f

SHA1
37c0b397385c14c181f9d29dde39996a0394cbe9

SHA256
b711d6247a467d516c23151639608177e37c80e80d09d6afd4766a7daac1637e

SHA512
20a8baf51e11ab081be713166e2f48884f200a019b571816ea93c7f86d125e6fdbb1e892f7765b2f6c36aa800c913970ad0e59bef94d3c56f9a88a3b2c7541fd

Download Submit
C:\Users\Admin\Desktop\Lockbit-Black-3.0-main\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}\{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe

Filesize
162KB

MD5
38745539b71cf201bb502437f891d799

SHA1
f2a72bee623659d3ba16b365024020868246d901

SHA256
80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

SHA512
772e76757069c3375cf1ffd659ff03f47f2d4becae61a852adbc27ae467551210d8832994f944c05fccc8486a8a88322021c94217a8bd962c2459af41067132b

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
c4f627262938239f04b7106e78c0f455

SHA1
f52e136c429fba31f791ea0d3a0567692cb0df45

SHA256
1420f2b22acc88678aec1238661341102fe6d4cdb59958ef136d6ccb90464990

SHA512
196f5344c76a32a264dfd4a1e8201a58d5a218759d2b39fbb0a7e1bd76efa7a24ec671fd224222c9d0084186996991f64674707f76f895b46073f1c559fb4148

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD

Filesize
129B

MD5
08727c29ac5f284b39b77df35c6e376d

SHA1
18ac1a174e6e7af350a547546a64d435f3315ec3

SHA256
ddce667487b125dd1440a8bfe63e407f5704b24d98799b26b21ade997fa51a82

SHA512
d4648a1141bc69a48d846ba17568d35d7cb279d79a51ac82eb0e0e04a2094ae305d3897a9e8d8a8d4979a5d9b6f10834f24cc23a23642ad5845123e848c1dc9f

Download Submit
memory/3244-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3244-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3308-66-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3308-67-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3308-2943-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3308-2944-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3308-2942-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3308-68-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4152-2958-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3007-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-2962-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4152-2976-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-2970-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-2965-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-2993-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3001-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3002-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3003-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3004-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3006-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3005-0x00007FF964470000-0x00007FF964480000-memory.dmp

Filesize
64KB

Download
memory/4152-2969-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4152-3008-0x00007FF964470000-0x00007FF964480000-memory.dmp

Filesize
64KB

Download
memory/4152-3009-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-2960-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4152-2961-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3031-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3032-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-3033-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4152-2959-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4152-2957-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/5308-3037-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5308-3036-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download