Overview
overview
10Static
static
10LockBit-Bl...ld.bat
windows10-2004-x64
1LockBit-Bl...B3.exe
windows10-2004-x64
10LockBit-Bl...or.exe
windows10-2004-x64
1LockBit-Bl...in.dll
windows10-2004-x64
7LockBit-Bl...32.dll
windows10-2004-x64
1LockBit-Bl...ss.dll
windows10-2004-x64
10LockBit-Bl...ss.exe
windows10-2004-x64
10LockBit-Bl...er.exe
windows10-2004-x64
1LockBit-Bl...en.exe
windows10-2004-x64
1LockBit-Bl...ld.bat
windows10-2004-x64
1LockBit-Bl...B3.exe
windows10-2004-x64
10LockBit-Bl...or.exe
windows10-2004-x64
5LockBit-Bl...in.dll
windows10-2004-x64
10LockBit-Bl...32.dll
windows10-2004-x64
1LockBit-Bl...ss.dll
windows10-2004-x64
10LockBit-Bl...ss.exe
windows10-2004-x64
10LockBit-Bl...er.exe
windows10-2004-x64
1LockBit-Bl...en.exe
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:35
Behavioral task
behavioral1
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3Decryptor.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3_ReflectiveDll_DllMain.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3_Rundll32.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3_Rundll32_pass.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3_pass.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/builder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/keygen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3Decryptor.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3_ReflectiveDll_DllMain.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3_Rundll32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3_Rundll32_pass.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3_pass.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/builder.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/keygen.exe
Resource
win10v2004-20240426-en
General
-
Target
LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit3Builder/Build/LB3_ReflectiveDll_DllMain.dll
-
Size
107KB
-
MD5
660679f8d44100cd240add9862598d66
-
SHA1
afca2fd0af09265e099e8cf5b898ea45f01f288a
-
SHA256
6667b29705a3c882d536589dc9d7193725ecdbc42c8bb0cc60f3c9d6d0240275
-
SHA512
d347ed75a08678af1eb449230f437d6f0fb3da6f98a6f7d36eaf73c7cd1399ec9712b940b370a92fa9b8d6a2ece5c607e86ecbfa12cc6cda3df85d66475091dd
-
SSDEEP
3072:n9bfmBYtGb2kZlBmLmmnFPNeSDkDqS4AJ:n9ptGakZlsLXFISDzAJ
Malware Config
Extracted
C:\Users\HHuYRxB06.README.txt
lockbit
598954663666452@exploit.im
365473292355268@thesecure.biz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (365) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 3DC4.tmp -
Deletes itself 1 IoCs
pid Process 3880 3DC4.tmp -
Executes dropped EXE 1 IoCs
pid Process 3880 3DC4.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 3880 3DC4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon\ = "C:\\ProgramData\\HHuYRxB06.ico" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06\ = "HHuYRxB06" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp 3880 3DC4.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeDebugPrivilege 2276 rundll32.exe Token: 36 2276 rundll32.exe Token: SeImpersonatePrivilege 2276 rundll32.exe Token: SeIncBasePriorityPrivilege 2276 rundll32.exe Token: SeIncreaseQuotaPrivilege 2276 rundll32.exe Token: 33 2276 rundll32.exe Token: SeManageVolumePrivilege 2276 rundll32.exe Token: SeProfSingleProcessPrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSystemProfilePrivilege 2276 rundll32.exe Token: SeTakeOwnershipPrivilege 2276 rundll32.exe Token: SeShutdownPrivilege 2276 rundll32.exe Token: SeDebugPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeDebugPrivilege 2276 rundll32.exe Token: 36 2276 rundll32.exe Token: SeImpersonatePrivilege 2276 rundll32.exe Token: SeIncBasePriorityPrivilege 2276 rundll32.exe Token: SeIncreaseQuotaPrivilege 2276 rundll32.exe Token: 33 2276 rundll32.exe Token: SeManageVolumePrivilege 2276 rundll32.exe Token: SeProfSingleProcessPrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSystemProfilePrivilege 2276 rundll32.exe Token: SeTakeOwnershipPrivilege 2276 rundll32.exe Token: SeShutdownPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeSecurityPrivilege 2276 rundll32.exe Token: SeBackupPrivilege 2276 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2276 2172 rundll32.exe 82 PID 2172 wrote to memory of 2276 2172 rundll32.exe 82 PID 2172 wrote to memory of 2276 2172 rundll32.exe 82 PID 2276 wrote to memory of 3880 2276 rundll32.exe 84 PID 2276 wrote to memory of 3880 2276 rundll32.exe 84 PID 2276 wrote to memory of 3880 2276 rundll32.exe 84 PID 2276 wrote to memory of 3880 2276 rundll32.exe 84 PID 3880 wrote to memory of 3228 3880 3DC4.tmp 85 PID 3880 wrote to memory of 3228 3880 3DC4.tmp 85 PID 3880 wrote to memory of 3228 3880 3DC4.tmp 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_ReflectiveDll_DllMain.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_ReflectiveDll_DllMain.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\ProgramData\3DC4.tmp"C:\ProgramData\3DC4.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3DC4.tmp >> NUL4⤵PID:3228
-
-
-
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.72:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 09:37:32 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.443d3e17.1716457052.c02850
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 56AADD319618434B8AB6B7A962110637 Ref B: LON04EDGE1017 Ref C: 2024-05-23T09:37:32Z
date: Thu, 23 May 2024 09:37:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2AEC5FBD5FBB4AC1B4D290279D243E0F Ref B: LON04EDGE1017 Ref C: 2024-05-23T09:37:32Z
date: Thu, 23 May 2024 09:37:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9ED8B64C2C164BF09CBA2DBCCCE2B040 Ref B: LON04EDGE1017 Ref C: 2024-05-23T09:37:32Z
date: Thu, 23 May 2024 09:37:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CD310E98A4C14044ACEF5A64154FEADE Ref B: LON04EDGE1017 Ref C: 2024-05-23T09:37:32Z
date: Thu, 23 May 2024 09:37:32 GMT
-
Remote address:8.8.8.8:53Request72.61.62.23.in-addr.arpaIN PTRResponse72.61.62.23.in-addr.arpaIN PTRa23-62-61-72deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.179.89.13.in-addr.arpaIN PTRResponse
-
23.62.61.72:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.4kB 17 12
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2108.0kB 2.6MB 1893 1885
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 13
-
1.2kB 8.1kB 16 14
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.204.248.87.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
70 B 133 B 1 1
DNS Request
72.61.62.23.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
11.179.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit3Builder\Build\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize107KB
MD53ef953eb233b161780e58f7bd6e8518d
SHA1bf2277369da82c372437cec08523da83b4fabf85
SHA2567cea527cc9bc1072dc80053113a4f7f6b8cfccc3422ef7f6843cc3b037bd796d
SHA51272c66cedb71be16690147b4f6a0358b7f92a9a85fda199d89eafb905ad1abcc31ef11f8b5932acd55e3aa4593d7387e11d9d41cb00a04c45b131889748def137
-
Filesize
6KB
MD58d0650dabb5b64e0c30cc78902eb9331
SHA1aab1e7fc965edb489df0a36e4432927247acfbe1
SHA256f4d952de4bfcdc57dd22cdde83e9c4229262afb591758ec5d3a7d2fbab48424c
SHA512702a686c9029bc1700e15df4b1ee6d4a790660f244be9d99fae9e8fe5ddf0c61bf2acad2d70fe348ca724ed3fb0b2db98ac8e99dc348b5944eda47232c34dda8