lockbit | 707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Analysis

max time kernel
95s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main (1).zip
Size

292KB
MD5

68309717a780fd8b4d1a1680874d3e12
SHA1

4cfe4f5bbd98fa7e966184e647910d675cdbda43
SHA256

707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
SHA512

e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
SSDEEP

6144:n42LBVCsV+PkMeW9zTiY/NaQmHst5ySPzmcfIMwmafvR:n4EzwkMeWgY1NmyESPB1/aXR

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b7b-13.dat	family_lockbit

Executes dropped EXE 10 IoCs

Processes:

builder.exekeygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exekeygen.exe

pid	Process
736	builder.exe
2600	keygen.exe
2776	builder.exe
1188	builder.exe
3564	builder.exe
3232	builder.exe
684	builder.exe
756	builder.exe
1240	builder.exe
4536	keygen.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

keygen.exekeygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

7zFM.exe

pid	Process
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
4024	7zFM.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	4024	7zFM.exe
Token: 35	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

7zFM.exe

pid	Process
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7zFM.exe

description	pid	Process	procid_target
PID 4024 wrote to memory of 736	4024	7zFM.exe	90
PID 4024 wrote to memory of 736	4024	7zFM.exe	90
PID 4024 wrote to memory of 736	4024	7zFM.exe	90
PID 4024 wrote to memory of 2600	4024	7zFM.exe	92
PID 4024 wrote to memory of 2600	4024	7zFM.exe	92
PID 4024 wrote to memory of 2600	4024	7zFM.exe	92
PID 4024 wrote to memory of 2912	4024	7zFM.exe	93
PID 4024 wrote to memory of 2912	4024	7zFM.exe	93
PID 4024 wrote to memory of 2776	4024	7zFM.exe	97
PID 4024 wrote to memory of 2776	4024	7zFM.exe	97
PID 4024 wrote to memory of 2776	4024	7zFM.exe	97
PID 4024 wrote to memory of 1188	4024	7zFM.exe	98
PID 4024 wrote to memory of 1188	4024	7zFM.exe	98
PID 4024 wrote to memory of 1188	4024	7zFM.exe	98
PID 4024 wrote to memory of 3564	4024	7zFM.exe	99
PID 4024 wrote to memory of 3564	4024	7zFM.exe	99
PID 4024 wrote to memory of 3564	4024	7zFM.exe	99
PID 4024 wrote to memory of 3232	4024	7zFM.exe	100
PID 4024 wrote to memory of 3232	4024	7zFM.exe	100
PID 4024 wrote to memory of 3232	4024	7zFM.exe	100
PID 4024 wrote to memory of 684	4024	7zFM.exe	101
PID 4024 wrote to memory of 684	4024	7zFM.exe	101
PID 4024 wrote to memory of 684	4024	7zFM.exe	101
PID 4024 wrote to memory of 756	4024	7zFM.exe	102
PID 4024 wrote to memory of 756	4024	7zFM.exe	102
PID 4024 wrote to memory of 756	4024	7zFM.exe	102
PID 4024 wrote to memory of 1240	4024	7zFM.exe	103
PID 4024 wrote to memory of 1240	4024	7zFM.exe	103
PID 4024 wrote to memory of 1240	4024	7zFM.exe	103
PID 4024 wrote to memory of 4536	4024	7zFM.exe	104
PID 4024 wrote to memory of 4536	4024	7zFM.exe	104
PID 4024 wrote to memory of 4536	4024	7zFM.exe	104

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-main (1).zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\7zO8BFF2787\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFF2787\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:736
- C:\Users\Admin\AppData\Local\Temp\7zO8BFE67F7\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFE67F7\keygen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO8BFFB2E7\Build.bat" "
  2⤵
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\7zO8BFD9618\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFD9618\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\7zO8BFA2118\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFA2118\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\7zO8BF2BF08\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BF2BF08\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3564
- C:\Users\Admin\AppData\Local\Temp\7zO8BFA4E08\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFA4E08\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3232
- C:\Users\Admin\AppData\Local\Temp\7zO8BFD7C08\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFD7C08\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:684
- C:\Users\Admin\AppData\Local\Temp\7zO8BFAEB08\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BFAEB08\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Users\Admin\AppData\Local\Temp\7zO8BF24A08\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BF24A08\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\7zO8BF8B308\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8BF8B308\keygen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8BFE67F7\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8BFF2787\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8BFFB2E7\Build.bat

Filesize
1KB

MD5
b8f24efd1d30aac9d360db90c8717aee

SHA1
7d31372560f81ea24db57bb18d56143251a8b266

SHA256
95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed

SHA512
14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Download Submit