lockbit | b094665ec4cdca6d8e9b9f63d8d71b1b9263eda12f1fdd1d8aa820dbf4c231f6

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build/LB3_ReflectiveDll_DllMain.dll
Size

107KB
MD5

660679f8d44100cd240add9862598d66
SHA1

afca2fd0af09265e099e8cf5b898ea45f01f288a
SHA256

6667b29705a3c882d536589dc9d7193725ecdbc42c8bb0cc60f3c9d6d0240275
SHA512

d347ed75a08678af1eb449230f437d6f0fb3da6f98a6f7d36eaf73c7cd1399ec9712b940b370a92fa9b8d6a2ece5c607e86ecbfa12cc6cda3df85d66475091dd
SSDEEP

3072:n9bfmBYtGb2kZlBmLmmnFPNeSDkDqS4AJ:n9ptGakZlsLXFISDzAJ

Score

10^/10

lockbit ransomware

Malware Config

Extracted

Path

C:\Users\HHuYRxB06.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 21BAF8E63EE715F84BF61C7D843D5A16 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Deletes itself 1 IoCs

pid	Process
1824	B03C.tmp

Executes dropped EXE 1 IoCs

pid	Process
1824	B03C.tmp

Loads dropped DLL 1 IoCs

pid	Process
2160	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
1824	B03C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06\ = "HHuYRxB06"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon\ = "C:\\ProgramData\\HHuYRxB06.ico"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp
1824	B03C.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeDebugPrivilege	2160	rundll32.exe
Token: 36	2160	rundll32.exe
Token: SeImpersonatePrivilege	2160	rundll32.exe
Token: SeIncBasePriorityPrivilege	2160	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2160	rundll32.exe
Token: 33	2160	rundll32.exe
Token: SeManageVolumePrivilege	2160	rundll32.exe
Token: SeProfSingleProcessPrivilege	2160	rundll32.exe
Token: SeRestorePrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSystemProfilePrivilege	2160	rundll32.exe
Token: SeTakeOwnershipPrivilege	2160	rundll32.exe
Token: SeShutdownPrivilege	2160	rundll32.exe
Token: SeDebugPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeDebugPrivilege	2160	rundll32.exe
Token: 36	2160	rundll32.exe
Token: SeImpersonatePrivilege	2160	rundll32.exe
Token: SeIncBasePriorityPrivilege	2160	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2160	rundll32.exe
Token: 33	2160	rundll32.exe
Token: SeManageVolumePrivilege	2160	rundll32.exe
Token: SeProfSingleProcessPrivilege	2160	rundll32.exe
Token: SeRestorePrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeSystemProfilePrivilege	2160	rundll32.exe
Token: SeTakeOwnershipPrivilege	2160	rundll32.exe
Token: SeShutdownPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	2160	rundll32.exe
Token: SeSecurityPrivilege	2160	rundll32.exe
Token: SeBackupPrivilege	1824	B03C.tmp
Token: SeRestorePrivilege	1824	B03C.tmp
Token: SeIncBasePriorityPrivilege	1824	B03C.tmp
Token: 33	1824	B03C.tmp
Token: SeManageVolumePrivilege	1824	B03C.tmp
Token: SeSecurityPrivilege	1824	B03C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2468 wrote to memory of 2160	2468	rundll32.exe	27
PID 2160 wrote to memory of 1824	2160	rundll32.exe	31
PID 2160 wrote to memory of 1824	2160	rundll32.exe	31
PID 2160 wrote to memory of 1824	2160	rundll32.exe	31
PID 2160 wrote to memory of 1824	2160	rundll32.exe	31
PID 2160 wrote to memory of 1824	2160	rundll32.exe	31
PID 1824 wrote to memory of 2164	1824	B03C.tmp	32
PID 1824 wrote to memory of 2164	1824	B03C.tmp	32
PID 1824 wrote to memory of 2164	1824	B03C.tmp	32
PID 1824 wrote to memory of 2164	1824	B03C.tmp	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\ProgramData\B03C.tmp
    "C:\ProgramData\B03C.tmp"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B03C.tmp >> NUL
      4⤵
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
107KB

MD5
90feb307ffe744f3701971ce3fdc1c16

SHA1
d124f2b24a26a5cce4d57d545a46387cb41ad5a2

SHA256
1f704305bfb58dce7549974f00e339c7eec30ebe6d6796f8025e2e3b24af6fd9

SHA512
fde285a30bdee6ea526f0884bf1756b16baee29602f013dae7e5a90857fe298e761757f2731459776d804b802373dd0759424fa07395f2ee1dcbbb9625301d34

Download Submit
C:\Users\HHuYRxB06.README.txt

Filesize
6KB

MD5
e0c192f44b3e01b49317a16cad0015ba

SHA1
0d123dc1f39d2c119973dc84cc2714036a805afb

SHA256
9bdb762e53665ba88e0c8056813215f054d8b0bb369f93589075b594baec385b

SHA512
7502370e5b606b4a7b1e321f54bc2f0878f6ff562b393a8569ba4f88437d4a14fd57b577ad297a66d24bb74acc3394f99ffdf03a78d91b7c0d6dab82c19f6cf7

Download Submit
\ProgramData\B03C.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1824-38-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1824-34-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1824-35-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1824-36-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1824-37-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1824-69-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1824-70-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2160-25-0x0000000003D20000-0x0000000003D60000-memory.dmp

Filesize
256KB

Download
memory/2160-0-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2160-39-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2160-40-0x0000000003D20000-0x0000000003D60000-memory.dmp

Filesize
256KB

Download
memory/2160-24-0x0000000003D20000-0x0000000003D60000-memory.dmp

Filesize
256KB

Download