7435f2c3f32ab84e2e575a627f418ce39e806ce59a3ad43e481d179deb88e500

Analysis

max time kernel
95s
max time network
130s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-10-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit30/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 688	4000	cmd.exe	81
PID 4000 wrote to memory of 688	4000	cmd.exe	81
PID 4000 wrote to memory of 688	4000	cmd.exe	81
PID 4000 wrote to memory of 4288	4000	cmd.exe	83
PID 4000 wrote to memory of 4288	4000	cmd.exe	83
PID 4000 wrote to memory of 4288	4000	cmd.exe	83
PID 4000 wrote to memory of 3188	4000	cmd.exe	84
PID 4000 wrote to memory of 3188	4000	cmd.exe	84
PID 4000 wrote to memory of 3188	4000	cmd.exe	84
PID 4000 wrote to memory of 4684	4000	cmd.exe	85
PID 4000 wrote to memory of 4684	4000	cmd.exe	85
PID 4000 wrote to memory of 4684	4000	cmd.exe	85
PID 4000 wrote to memory of 1868	4000	cmd.exe	86
PID 4000 wrote to memory of 1868	4000	cmd.exe	86
PID 4000 wrote to memory of 1868	4000	cmd.exe	86
PID 4000 wrote to memory of 2940	4000	cmd.exe	87
PID 4000 wrote to memory of 2940	4000	cmd.exe	87
PID 4000 wrote to memory of 2940	4000	cmd.exe	87
PID 4000 wrote to memory of 1904	4000	cmd.exe	88
PID 4000 wrote to memory of 1904	4000	cmd.exe	88
PID 4000 wrote to memory of 1904	4000	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:688
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key

Filesize
344B

MD5
36709eb70e91582749d8bfcff87ef031

SHA1
abe563b3962c03c3ae0248d58b1f7e32943c69c2

SHA256
368a6cc398b1df3546bb953700e1ae6301bcf9208df9b04bb2fc9711ae5c719e

SHA512
35f9ed499500a912c97dd1b38ede10dc392c2949c9bf7a1111caf749880b8f857fb31c4b463a4245e4105cab2c162d9da1f89c3b5982e9514a3379df7cb7e5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key

Filesize
344B

MD5
ff8469ae3059bd5d6cbe5ad82c8cad48

SHA1
d44dc47a91e3740c8544df8884c1fee1ea20a987

SHA256
19713888ef8334f5215c60a963be64e6459ca784a43093a1fe34f60778228302

SHA512
1f77ef3d2ccb6fbf7e3b73f51521749203a985dd119c2e9b30701679341d7ff76a45ef00ffe67ea4f4ab6074cbbb4d5bb00bd3444676de51473894383336ee90

Download Submit