7435f2c3f32ab84e2e575a627f418ce39e806ce59a3ad43e481d179deb88e500

General

Target

LockBit30/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 108	3344	cmd.exe	81
PID 3344 wrote to memory of 108	3344	cmd.exe	81
PID 3344 wrote to memory of 108	3344	cmd.exe	81
PID 3344 wrote to memory of 464	3344	cmd.exe	82
PID 3344 wrote to memory of 464	3344	cmd.exe	82
PID 3344 wrote to memory of 464	3344	cmd.exe	82
PID 3344 wrote to memory of 3340	3344	cmd.exe	83
PID 3344 wrote to memory of 3340	3344	cmd.exe	83
PID 3344 wrote to memory of 3340	3344	cmd.exe	83
PID 3344 wrote to memory of 4944	3344	cmd.exe	84
PID 3344 wrote to memory of 4944	3344	cmd.exe	84
PID 3344 wrote to memory of 4944	3344	cmd.exe	84
PID 3344 wrote to memory of 4640	3344	cmd.exe	85
PID 3344 wrote to memory of 4640	3344	cmd.exe	85
PID 3344 wrote to memory of 4640	3344	cmd.exe	85
PID 3344 wrote to memory of 4204	3344	cmd.exe	86
PID 3344 wrote to memory of 4204	3344	cmd.exe	86
PID 3344 wrote to memory of 4204	3344	cmd.exe	86
PID 3344 wrote to memory of 980	3344	cmd.exe	87
PID 3344 wrote to memory of 980	3344	cmd.exe	87
PID 3344 wrote to memory of 980	3344	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:108
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3340
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4944
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key

Filesize
344B

MD5
f79de15fb53cf4e319827e2327ff5051

SHA1
f710548c533a6749f222f4758fa75e650785c0f7

SHA256
7070bec19c1d173cd07ea03e25d630d0a899d6f788f7326715ade7752d866caf

SHA512
dc7db2231f92925448b451fc323f72856c039ede643caa86dcb7ced923c8a9612d5eb0290bfdabc5911031941c93aa6bcb19eb2ec0386661779516a67df92cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key

Filesize
344B

MD5
74a72982def38406d5d916e0d651fd28

SHA1
c903cf3facc51a2483e14dca8b8b08d1b5ba1b9f

SHA256
697e94778bf0e81799a1ab7eb90e728d251dbde15469e607531c42567059b40f

SHA512
a768f310d7573b29abd3ae9610c938222dc6e6eb97b84296dd6ee182a16eca208dd3984c70a4bf19055e750f73335e0cec66a30ac508b34a24ff702b5eeb1b0a

Download Submit

Analysis

Sharing