Malware Analysis Report

2024-11-15 07:21

Sample ID 240311-hnxazaec86
Target lockbit_v3_unpacked.7z.zip
SHA256 70c0f2d25b1d2eee2273fbd05ffa16e3cfe5880f9b2f66b66eed3029fd611a5b
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70c0f2d25b1d2eee2273fbd05ffa16e3cfe5880f9b2f66b66eed3029fd611a5b

Threat Level: Known bad

The file lockbit_v3_unpacked.7z.zip was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Executes dropped EXE

Deletes itself

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 06:53

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 06:53

Reported

2024-03-11 07:08

Platform

win11-20240221-en

Max time kernel

479s

Max time network

450s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe"

Signatures

Lockbit

ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\801E.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\801E.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-4181651180-3163410697-3990547336-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4181651180-3163410697-3990547336-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP6lbdnqbpo_hm1uv25s5u83rvd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPcmuobsmmaiy1d8zs4g97098od.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP5sb7g51y08g5pz938pxfzsb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HLJkNskOq.bmp" C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HLJkNskOq.bmp" C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq\ = "HLJkNskOq" C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon\ = "C:\\ProgramData\\HLJkNskOq.ico" C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\lockbit_v3_unpacked.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8308E22A-4214-4D90-AE36-EB04B283AE7A}.xps" 133546139364300000

C:\ProgramData\801E.tmp

"C:\ProgramData\801E.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\801E.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4032-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4032-1-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4032-3-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4032-2-0x0000000002620000-0x0000000002630000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4181651180-3163410697-3990547336-1000\VVVVVVVVVVV

MD5 2cd816983a79d70cbd55ae1f4f139b1a
SHA1 d7e07399d1126c09675533cc4a0b2fedda4c1509
SHA256 f8825714d2fbb2b82aec970113d0fed4cb996869b2b31dbdad176c99e08c4e64
SHA512 1032c009f0755bea89f008fe48587ddb660a438e46fb03bcfd6d48cdcca369b1a0c52d16fe3781705dd87fe591a47bccbabdc01b1d940ef5a680f4a6a2855c7b

F:\$RECYCLE.BIN\S-1-5-21-4181651180-3163410697-3990547336-1000\DDDDDDDDDDD

MD5 f34c8e850cec05528a7cff36dd9de114
SHA1 d6eb4ff81cf3d40cda9fbc1dcfb125d04ed1460e
SHA256 5545682bc760d381b9b476f73167763975f8c3e181b13fa5131ac6aaa667e700
SHA512 50c2be3f4a9ebcf51eaffedf39a8fabf8a0f0db4e2f9930151a8dc3969ea1439f557d2f8b108ee24c0c5685cbca3cdb2e44a42682f7de75e121bf73c39f38cdf

C:\Users\HLJkNskOq.README.txt

MD5 3ee9ee4722b32213f37931bf5822eea1
SHA1 f53053c66b5f7ba6647020b783e6054c83ad8c8d
SHA256 6a50b003049e131dec77035495717177f9cc83e5f81b50a3d78b5ccee1bc38c7
SHA512 72df4d50b390fc824baf853d1cc32c4cd53136a7d3386ef07b78f4fec7676ea49b0af564992d07ed30e020b775b5ad32c9391caf73424e97d8aa19eced0bce01

memory/4636-318-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/4032-317-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4636-337-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/4636-349-0x00007FF8365B0000-0x00007FF8365C0000-memory.dmp

memory/4636-350-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/4636-353-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/4636-352-0x00007FF8365B0000-0x00007FF8365C0000-memory.dmp

memory/4636-354-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/4636-355-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/4636-351-0x00007FF876520000-0x00007FF876729000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDD

MD5 772ea5172e1eec1a08dea97c413a1460
SHA1 7ce9008c5f35f924436d1d69cf66d8a42d105fa1
SHA256 8f6e5bc4bec802bf1487f928d8b6552ab5064311e6199418f1e33687d79d8c22
SHA512 283b76e6fa92fc655d17fc1ff510300215bbac69157c15bac9d38c7adc43767a6cb12d05c0c8ab2b878f4ce92b1bfe4feba2f8640c61b38ec1d0bc0734120534

memory/4636-319-0x00007FF8365B0000-0x00007FF8365C0000-memory.dmp

memory/4636-316-0x00007FF8365B0000-0x00007FF8365C0000-memory.dmp

C:\ProgramData\801E.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4636-313-0x00007FF8365B0000-0x00007FF8365C0000-memory.dmp

memory/3384-356-0x000000007FE70000-0x000000007FE71000-memory.dmp

memory/3384-357-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4636-358-0x00007FF833A90000-0x00007FF833AA0000-memory.dmp

memory/3384-359-0x000000007FE50000-0x000000007FE51000-memory.dmp

memory/3384-360-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

memory/4636-362-0x00007FF833A90000-0x00007FF833AA0000-memory.dmp

memory/4636-361-0x00007FF874850000-0x00007FF87490D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{81BD586D-AC3E-4A4A-BD84-4EFFFA806C5F}

MD5 a9ef184a1eb5f94aa773f74279101a9e
SHA1 41f4fa4bb7224875866ef7e3144492d27ed345c9
SHA256 53691e0de5f6a2b3b09278ca19bd0be50d3b269d12b9d1c7574ab2a1ec061b13
SHA512 bfb676591479663e94093664e55a2944f736e819a84dcbe7310df250b5a590451c2451c4e25202dcba88a02d39a65ada59aa80b5559ed64797d5232c0df1d743

memory/4636-379-0x00007FF876520000-0x00007FF876729000-memory.dmp

memory/3384-381-0x0000000002620000-0x0000000002630000-memory.dmp

memory/3384-380-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4636-382-0x00007FF874850000-0x00007FF87490D000-memory.dmp

memory/3384-384-0x000000007FE10000-0x000000007FE11000-memory.dmp

memory/3384-385-0x000000007FE30000-0x000000007FE31000-memory.dmp