Analysis
-
max time kernel
479s -
max time network
450s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-03-2024 06:53
Behavioral task
behavioral1
Sample
lockbit_v3_unpacked.exe
Resource
win11-20240221-en
General
-
Target
lockbit_v3_unpacked.exe
-
Size
162KB
-
MD5
628e4a77536859ffc2853005924db2ef
-
SHA1
c2a321b6078acfab582a195c3eaf3fe05e095ce0
-
SHA256
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
-
SHA512
aae3e3e9b12ab7389e5f2eac89b2a306c4d2b91bb4204f83cc7308a83c3dea88bbc2d826546c886fd580c01245a6be5c0aefcd93936daeecb3614935248de5f1
-
SSDEEP
3072:o5uyulsHwDV1gFnTwn7zwJGJ+3t5kCI5Gzei3N2VzRmK:o5uZ1DPgFnk7EJwaI5gDN2VVm
Malware Config
Extracted
C:\Users\HLJkNskOq.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4032-0-0x0000000000400000-0x000000000042C000-memory.dmp family_lockbit behavioral1/memory/4032-317-0x0000000000400000-0x000000000042C000-memory.dmp family_lockbit -
Deletes itself 1 IoCs
Processes:
801E.tmppid process 3384 801E.tmp -
Executes dropped EXE 1 IoCs
Processes:
801E.tmppid process 3384 801E.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-4181651180-3163410697-3990547336-1000\desktop.ini lockbit_v3_unpacked.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4181651180-3163410697-3990547336-1000\desktop.ini lockbit_v3_unpacked.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP6lbdnqbpo_hm1uv25s5u83rvd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPcmuobsmmaiy1d8zs4g97098od.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP5sb7g51y08g5pz938pxfzsb.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HLJkNskOq.bmp" lockbit_v3_unpacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HLJkNskOq.bmp" lockbit_v3_unpacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
lockbit_v3_unpacked.exe801E.tmppid process 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop lockbit_v3_unpacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\WallpaperStyle = "10" lockbit_v3_unpacked.exe -
Modifies registry class 5 IoCs
Processes:
lockbit_v3_unpacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq lockbit_v3_unpacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq\ = "HLJkNskOq" lockbit_v3_unpacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon lockbit_v3_unpacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq lockbit_v3_unpacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon\ = "C:\\ProgramData\\HLJkNskOq.ico" lockbit_v3_unpacked.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
lockbit_v3_unpacked.exeONENOTE.EXEpid process 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4032 lockbit_v3_unpacked.exe 4636 ONENOTE.EXE 4636 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
801E.tmppid process 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp 3384 801E.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
lockbit_v3_unpacked.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeDebugPrivilege 4032 lockbit_v3_unpacked.exe Token: 36 4032 lockbit_v3_unpacked.exe Token: SeImpersonatePrivilege 4032 lockbit_v3_unpacked.exe Token: SeIncBasePriorityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeIncreaseQuotaPrivilege 4032 lockbit_v3_unpacked.exe Token: 33 4032 lockbit_v3_unpacked.exe Token: SeManageVolumePrivilege 4032 lockbit_v3_unpacked.exe Token: SeProfSingleProcessPrivilege 4032 lockbit_v3_unpacked.exe Token: SeRestorePrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSystemProfilePrivilege 4032 lockbit_v3_unpacked.exe Token: SeTakeOwnershipPrivilege 4032 lockbit_v3_unpacked.exe Token: SeShutdownPrivilege 4032 lockbit_v3_unpacked.exe Token: SeDebugPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeBackupPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe Token: SeSecurityPrivilege 4032 lockbit_v3_unpacked.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE 4636 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
lockbit_v3_unpacked.exeprintfilterpipelinesvc.exe801E.tmpdescription pid process target process PID 4032 wrote to memory of 1660 4032 lockbit_v3_unpacked.exe splwow64.exe PID 4032 wrote to memory of 1660 4032 lockbit_v3_unpacked.exe splwow64.exe PID 3088 wrote to memory of 4636 3088 printfilterpipelinesvc.exe ONENOTE.EXE PID 3088 wrote to memory of 4636 3088 printfilterpipelinesvc.exe ONENOTE.EXE PID 4032 wrote to memory of 3384 4032 lockbit_v3_unpacked.exe 801E.tmp PID 4032 wrote to memory of 3384 4032 lockbit_v3_unpacked.exe 801E.tmp PID 4032 wrote to memory of 3384 4032 lockbit_v3_unpacked.exe 801E.tmp PID 4032 wrote to memory of 3384 4032 lockbit_v3_unpacked.exe 801E.tmp PID 3384 wrote to memory of 4944 3384 801E.tmp cmd.exe PID 3384 wrote to memory of 4944 3384 801E.tmp cmd.exe PID 3384 wrote to memory of 4944 3384 801E.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe"C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1660
-
-
C:\ProgramData\801E.tmp"C:\ProgramData\801E.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\801E.tmp >> NUL3⤵PID:4944
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2744
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8308E22A-4214-4D90-AE36-EB04B283AE7A}.xps" 1335461393643000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52cd816983a79d70cbd55ae1f4f139b1a
SHA1d7e07399d1126c09675533cc4a0b2fedda4c1509
SHA256f8825714d2fbb2b82aec970113d0fed4cb996869b2b31dbdad176c99e08c4e64
SHA5121032c009f0755bea89f008fe48587ddb660a438e46fb03bcfd6d48cdcca369b1a0c52d16fe3781705dd87fe591a47bccbabdc01b1d940ef5a680f4a6a2855c7b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
162KB
MD5772ea5172e1eec1a08dea97c413a1460
SHA17ce9008c5f35f924436d1d69cf66d8a42d105fa1
SHA2568f6e5bc4bec802bf1487f928d8b6552ab5064311e6199418f1e33687d79d8c22
SHA512283b76e6fa92fc655d17fc1ff510300215bbac69157c15bac9d38c7adc43767a6cb12d05c0c8ab2b878f4ce92b1bfe4feba2f8640c61b38ec1d0bc0734120534
-
Filesize
4KB
MD5a9ef184a1eb5f94aa773f74279101a9e
SHA141f4fa4bb7224875866ef7e3144492d27ed345c9
SHA25653691e0de5f6a2b3b09278ca19bd0be50d3b269d12b9d1c7574ab2a1ec061b13
SHA512bfb676591479663e94093664e55a2944f736e819a84dcbe7310df250b5a590451c2451c4e25202dcba88a02d39a65ada59aa80b5559ed64797d5232c0df1d743
-
Filesize
10KB
MD53ee9ee4722b32213f37931bf5822eea1
SHA1f53053c66b5f7ba6647020b783e6054c83ad8c8d
SHA2566a50b003049e131dec77035495717177f9cc83e5f81b50a3d78b5ccee1bc38c7
SHA51272df4d50b390fc824baf853d1cc32c4cd53136a7d3386ef07b78f4fec7676ea49b0af564992d07ed30e020b775b5ad32c9391caf73424e97d8aa19eced0bce01
-
Filesize
129B
MD5f34c8e850cec05528a7cff36dd9de114
SHA1d6eb4ff81cf3d40cda9fbc1dcfb125d04ed1460e
SHA2565545682bc760d381b9b476f73167763975f8c3e181b13fa5131ac6aaa667e700
SHA51250c2be3f4a9ebcf51eaffedf39a8fabf8a0f0db4e2f9930151a8dc3969ea1439f557d2f8b108ee24c0c5685cbca3cdb2e44a42682f7de75e121bf73c39f38cdf