Analysis
-
max time kernel
1073s -
max time network
1165s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-03-2024 06:47
Behavioral task
behavioral1
Sample
lockbit_v3_unpacked.7z.zip
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
lockbit_v3_unpacked.7z
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
lockbit_v3_unpacked.exe
Resource
win11-20240221-en
General
-
Target
lockbit_v3_unpacked.exe
-
Size
162KB
-
MD5
628e4a77536859ffc2853005924db2ef
-
SHA1
c2a321b6078acfab582a195c3eaf3fe05e095ce0
-
SHA256
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
-
SHA512
aae3e3e9b12ab7389e5f2eac89b2a306c4d2b91bb4204f83cc7308a83c3dea88bbc2d826546c886fd580c01245a6be5c0aefcd93936daeecb3614935248de5f1
-
SSDEEP
3072:o5uyulsHwDV1gFnTwn7zwJGJ+3t5kCI5Gzei3N2VzRmK:o5uZ1DPgFnk7EJwaI5gDN2VVm
Malware Config
Extracted
C:\HLJkNskOq.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/2164-0-0x0000000000400000-0x000000000042C000-memory.dmp family_lockbit behavioral3/memory/2164-331-0x0000000000400000-0x000000000042C000-memory.dmp family_lockbit -
Deletes itself 1 IoCs
Processes:
712A.tmppid process 4976 712A.tmp -
Executes dropped EXE 1 IoCs
Processes:
712A.tmppid process 4976 712A.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3594324687-1993884830-4019639329-1000\desktop.ini lockbit_v3_unpacked.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3594324687-1993884830-4019639329-1000\desktop.ini lockbit_v3_unpacked.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\PPq6_s13gp34g1rmt5a6zbiz2td.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP8ay07z8u4v9uzrihq0ak33b2b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP50_ayiktzwtbh2zpewoo_s_p.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HLJkNskOq.bmp" lockbit_v3_unpacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HLJkNskOq.bmp" lockbit_v3_unpacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
lockbit_v3_unpacked.exe712A.tmppid process 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Control Panel\Desktop lockbit_v3_unpacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Control Panel\Desktop\WallpaperStyle = "10" lockbit_v3_unpacked.exe -
Modifies registry class 5 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon lockbit_v3_unpacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq lockbit_v3_unpacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon\ = "C:\\ProgramData\\HLJkNskOq.ico" lockbit_v3_unpacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq lockbit_v3_unpacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq\ = "HLJkNskOq" lockbit_v3_unpacked.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
ONENOTE.EXEpid process 4844 ONENOTE.EXE 4844 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
lockbit_v3_unpacked.exeONENOTE.EXEpid process 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 2164 lockbit_v3_unpacked.exe 4844 ONENOTE.EXE 4844 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
712A.tmppid process 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp 4976 712A.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
lockbit_v3_unpacked.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeDebugPrivilege 2164 lockbit_v3_unpacked.exe Token: 36 2164 lockbit_v3_unpacked.exe Token: SeImpersonatePrivilege 2164 lockbit_v3_unpacked.exe Token: SeIncBasePriorityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeIncreaseQuotaPrivilege 2164 lockbit_v3_unpacked.exe Token: 33 2164 lockbit_v3_unpacked.exe Token: SeManageVolumePrivilege 2164 lockbit_v3_unpacked.exe Token: SeProfSingleProcessPrivilege 2164 lockbit_v3_unpacked.exe Token: SeRestorePrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSystemProfilePrivilege 2164 lockbit_v3_unpacked.exe Token: SeTakeOwnershipPrivilege 2164 lockbit_v3_unpacked.exe Token: SeShutdownPrivilege 2164 lockbit_v3_unpacked.exe Token: SeDebugPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 2164 lockbit_v3_unpacked.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
ONENOTE.EXEpid process 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE 4844 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
lockbit_v3_unpacked.exeprintfilterpipelinesvc.exe712A.tmpdescription pid process target process PID 2164 wrote to memory of 4920 2164 lockbit_v3_unpacked.exe splwow64.exe PID 2164 wrote to memory of 4920 2164 lockbit_v3_unpacked.exe splwow64.exe PID 3152 wrote to memory of 4844 3152 printfilterpipelinesvc.exe ONENOTE.EXE PID 3152 wrote to memory of 4844 3152 printfilterpipelinesvc.exe ONENOTE.EXE PID 2164 wrote to memory of 4976 2164 lockbit_v3_unpacked.exe 712A.tmp PID 2164 wrote to memory of 4976 2164 lockbit_v3_unpacked.exe 712A.tmp PID 2164 wrote to memory of 4976 2164 lockbit_v3_unpacked.exe 712A.tmp PID 2164 wrote to memory of 4976 2164 lockbit_v3_unpacked.exe 712A.tmp PID 4976 wrote to memory of 760 4976 712A.tmp cmd.exe PID 4976 wrote to memory of 760 4976 712A.tmp cmd.exe PID 4976 wrote to memory of 760 4976 712A.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe"C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4920
-
-
C:\ProgramData\712A.tmp"C:\ProgramData\712A.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\712A.tmp >> NUL3⤵PID:760
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1672
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{496A3F5F-231F-487B-8E67-CF7E42D2DADE}.xps" 1335461365197900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5bf33a25aa9bae2d44f80ca7e4111550b
SHA1a20b6c237142887c6ec321fb7208036faa358fc8
SHA2562a57d8271bfd7732a0a1d61f5f2ba4525dfde99559dabb8c6556895fe1fa543c
SHA51236d3c8dca2c9d650c563ee1c42e47fda378fd965e4d713519f3fe7c92c8ba302a904e269904136d0ad492e2d046a5355bac232509c9100ade128bface2ce258d
-
Filesize
10KB
MD5430f9428aaf3fdae565f0ba27d1c0b82
SHA12260113c3908dc5d5bcb448676af78cc9ed2ac5f
SHA2567feba4bdba663006f5e38be64304274c43e3968af00f80c9d394e5c0ca591d03
SHA5120481e5975d21d364654cf9bc0034b54277dff57a02743d061d04ba58736479739fa7b5c5b2294db908feffb1ae46bfebec26cdd2fcb6117b989cb18914d8b2d6
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
162KB
MD5c2e821cfc4e32c7e7287a1e4d1375ef5
SHA1e5df20e4f508e98609535bb30e8fc788a1a2ba99
SHA25697c2157a7d010bdd3047a1d16370036153b3561a1a9fd26cffff8bf648160056
SHA512f772c48df73593d080e9bbdd2ca59764842b6521866e4caf7dfffe4be8237c2d6d847ec79fd7c869cad9bceb758476d11ad7f4c5961fbbe4c5df9e09e799137a
-
Filesize
4KB
MD5b5b9370c655c3333c4859ba6c7c57bdf
SHA17f9eb4dcd8c807bb63dc8ef7cf7abd188ccc2632
SHA25670647e78f46c4ef030d555dd0efca21068b565d8c13c1d0af29ad8c22a303515
SHA5129cb8d950a96af35b495f0d5937d039bfe6c8619b8ff060f014fd0ec662df86a2b5abb5f9cc785e045ea2dcb82a8f9e0ae5d0a3ef48ee9030b725e8143c0f1f91
-
Filesize
4KB
MD50505f0f3795093e3712b8960dc506386
SHA1eb53fc402658f36e25d51baf184ec08b5075d326
SHA256776424f207635d0a11d54347d238d4b824e9af4ca8c975e8a94d4f8c55dcf001
SHA51247a23a1d41075e890f66573e563e1ec13cd44e61eada6bdc90d806fc433d581d69ab3c661aa2758324259735cc4879906208afbeae2bef9a58a1dd3477693304
-
Filesize
129B
MD59a185ce96bd6abde9b4ccdafe108d570
SHA12dce7e63bfbc604854aa97c8de8e9276d0cd5da7
SHA25649cc4519435e69ae92161418691511bb1cec9c2e79b4a91a12da08cac2af6996
SHA51280a4fe381e3693249940ad5620dedbff455411f01dac0fd2d74d1a0315ecfaf8f8409ab741ecdbacae531b04d5c64d791eec74a0df448485f0135b017580d964