Overview

overview

10

Static

static

10

LockBit-Bl...ld.bat

windows10-2004-x64

1

LockBit-Bl...B3.exe

windows10-2004-x64

10

LockBit-Bl...or.exe

windows10-2004-x64

1

LockBit-Bl...in.dll

windows10-2004-x64

7

LockBit-Bl...32.dll

windows10-2004-x64

1

LockBit-Bl...ss.dll

windows10-2004-x64

10

LockBit-Bl...ss.exe

windows10-2004-x64

10

LockBit-Bl...er.exe

windows10-2004-x64

1

LockBit-Bl...en.exe

windows10-2004-x64

1

LockBit-Bl...ld.bat

windows10-2004-x64

1

LockBit-Bl...B3.exe

windows10-2004-x64

10

LockBit-Bl...or.exe

windows10-2004-x64

5

LockBit-Bl...in.dll

windows10-2004-x64

10

LockBit-Bl...32.dll

windows10-2004-x64

1

LockBit-Bl...ss.dll

windows10-2004-x64

10

LockBit-Bl...ss.exe

windows10-2004-x64

10

LockBit-Bl...er.exe

windows10-2004-x64

1

LockBit-Bl...en.exe

windows10-2004-x64

1

Resubmissions

23-05-2024 09:35

240523-lkmh5scb37 10

28-04-2024 14:29

240428-rth5zahg49 10

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LockBit-Black-Builder-main/LockBit-Black-Builder-main/LockBit30/Build/LB3.exe

  • Size

    153KB

  • MD5

    c73eac0c837c3c5caca3a885f46c17d9

  • SHA1

    a0ca9511b40c9c2451986ce179016ec4014e9adb

  • SHA256

    e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe

  • SHA512

    157c92e561cd18876ab60faf8a3d8e62633e7750accb965e86f3202b0d5ff902d3ae51fb41592d9be22672e67a713291e469a09be57e6f77dd6343090324792a

  • SSDEEP

    3072:xqJogYkcSNm9V7D2YRLCm8ZdqVAxrMismEm8T:xq2kc4m9tDlhLqb

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\ZImkTWSLZ.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 21EFEFD3564BFFCFBC6685725E90382B >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Renames multiple (625) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:5848
    • C:\ProgramData\1624.tmp
      "C:\ProgramData\1624.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1624.tmp >> NUL
        3⤵
          PID:3824
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:5900
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8
        1⤵
          PID:5972
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
          1⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2360860F-6CDF-45D2-A544-1D4812C4F11D}.xps" 133609305570280000
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of SetWindowsHookEx
            PID:3268

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\GGGGGGGGGGG
          Filesize

          129B

          MD5

          0bd402040e531b2c8dc9d1cb2dbf87a0

          SHA1

          3f3ea2c16fa6eb4f29dd4bf0de2d6e98ae90baea

          SHA256

          2c452a0747e55a78b3104484b126c8ba1ad08ed47e2b0a906697a07eac3b1e86

          SHA512

          659026f591a2259eb1e367962e7bc68f869ce6d10356abf27c039f9e077c766ec486d2102ac16203952d0d6f1f55e94ce55868b27a2d5005190c19333d2442dd

          Download Submit

        • C:\ProgramData\1624.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\EEEEEEE
          Filesize

          153KB

          MD5

          9fb570df1bdc5025d6cb82d8e067468e

          SHA1

          371e70a5cd4aa17267d22e4ee5c1bbcca5183f85

          SHA256

          1da3eb93e5d0d4a614be78170d2d87ae2405cfc4c16db160ab464be03074ace8

          SHA512

          fea55aff5f60ae2ebe48e5ef47cb400021ec6a1cee63a77a42d239502d9ab7b918567fd328da58895482946ac2bbc99f46c9464faa6f4f0ddd2b88363207f61b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{FDB05E52-2D53-4C57-B7AB-31D33553D783}
          Filesize

          4KB

          MD5

          c31dfe758c98a03bcf301ac9ed0fe96a

          SHA1

          934804b9da43ea2c1830d54180ba974990183d96

          SHA256

          dec455086606fa8e41eadcdedf8e0a3adbd134a4403209f66a61498b0d7b8aab

          SHA512

          29cbf4ab7598f1ce782599e4398d4c0742f3909a9ae7fa33707b62053f238474937e412994a5952ddb451641943a6186ae66a5f8e2f489b4f2d601c5143e6ef5

          Download Submit

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
          Filesize

          4KB

          MD5

          6be212d62bfedc05ef13edb0959b0fd2

          SHA1

          4ca6b8c43ae4476b4193cf6b3ebed49ca151bc1b

          SHA256

          c5ef2733ee2ba4076b51294f5a1e8cbd1a321071957947e26396315864d40a11

          SHA512

          6cab4d4076c0389d9908022754be49d230fa966f158b270a57547cee47bc75fba12c2e7461a32ec552ccdeeb1c6a0be79ee9b1aeb3ad4d8a2867581f98a45438

          Download Submit

        • C:\ZImkTWSLZ.README.txt
          Filesize

          6KB

          MD5

          34e6a8f5d71618b6d5f7a86bf63a91f6

          SHA1

          9855d5cccad840aa7dd89c8edff9019be7cd3679

          SHA256

          14dcbd8d56bd6c1e1562d5e7956a5643ad2a49df8212b37e2d2a86023aef8033

          SHA512

          14edf39c7b155c99239e99c11b92bff8aa6b5aa14ac93d7c208c88771fc0675785e02b274fccaf608530a7ae5588a3ef14c637c75fab225c477051c4d02cd861

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\DDDDDDDDDDD
          Filesize

          129B

          MD5

          ff67ee222d2f1a00a753aceb28e5ec14

          SHA1

          dcf8c1dc5822dc95a4e990eda45970529ddbbbdd

          SHA256

          89910fe14d0898b059b86c3cce3f4f5b3c2e830a0db8fc0fc30c2387f8bd2801

          SHA512

          8ea17405cc5e1ea04240e3a756686ed7b2a948ae31f0cfa467c67abca41543ff8bfc12263dcf00d6fc2c81d4f49ecce6a016ca713baf3f5519289d93435bb3a1

          Download Submit

        • memory/1920-0-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1920-1-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1920-2-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2828-0x00007FFF70010000-0x00007FFF70020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2830-0x00007FFF70010000-0x00007FFF70020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2829-0x00007FFF70010000-0x00007FFF70020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2832-0x00007FFF70010000-0x00007FFF70020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2831-0x00007FFF70010000-0x00007FFF70020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2861-0x00007FFF6DE70000-0x00007FFF6DE80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3268-2862-0x00007FFF6DE70000-0x00007FFF6DE80000-memory.dmp

          Filesize

          64KB

          Download