707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main/Build.bat
Size

1KB
MD5

b8f24efd1d30aac9d360db90c8717aee
SHA1

7d31372560f81ea24db57bb18d56143251a8b266
SHA256

95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed
SHA512

14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 512 wrote to memory of 2076	512	cmd.exe	88
PID 512 wrote to memory of 2076	512	cmd.exe	88
PID 512 wrote to memory of 2076	512	cmd.exe	88
PID 512 wrote to memory of 1512	512	cmd.exe	89
PID 512 wrote to memory of 1512	512	cmd.exe	89
PID 512 wrote to memory of 1512	512	cmd.exe	89
PID 512 wrote to memory of 4956	512	cmd.exe	90
PID 512 wrote to memory of 4956	512	cmd.exe	90
PID 512 wrote to memory of 4956	512	cmd.exe	90
PID 512 wrote to memory of 2324	512	cmd.exe	91
PID 512 wrote to memory of 2324	512	cmd.exe	91
PID 512 wrote to memory of 2324	512	cmd.exe	91
PID 512 wrote to memory of 4980	512	cmd.exe	92
PID 512 wrote to memory of 4980	512	cmd.exe	92
PID 512 wrote to memory of 4980	512	cmd.exe	92
PID 512 wrote to memory of 2636	512	cmd.exe	93
PID 512 wrote to memory of 2636	512	cmd.exe	93
PID 512 wrote to memory of 2636	512	cmd.exe	93
PID 512 wrote to memory of 2016	512	cmd.exe	94
PID 512 wrote to memory of 2016	512	cmd.exe	94
PID 512 wrote to memory of 2016	512	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\priv.key

Filesize
344B

MD5
30d1018f7c99014ad6ed3ea0a507fd66

SHA1
776b9f8c350347c819b783314e22970cf95acd76

SHA256
ab829cea3bc90705c5f90fd39836ff7be9b5dc6d4de51800d478c78c1aa24814

SHA512
d28a8b4caa4832660fce1d0ac824f03b35404672dcab37e33ed0d30283a3149572649767285eb359daf0567f1a233f9bc1c197c0d932735b91ba0fa062f469b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\pub.key

Filesize
344B

MD5
ce002bd13682ae9c9d10c02b65a6363b

SHA1
feed3f3d83e38a5c54c9d206d5bfe599693663f8

SHA256
7a79a4c2e17c0ab65183a102b5c50e2010fc384f24db144faf88b0ea710e7ec5

SHA512
13e12d9baab5687c0c38999643ba144c3335d27f41661fffde35d72015b42864cb69163286bfd8b84c1edb0d75c40f0b9d8f935ea079849974c30f4687d79484

Download Submit