707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Analysis

max time kernel
94s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main/Build.bat
Size

1KB
MD5

b8f24efd1d30aac9d360db90c8717aee
SHA1

7d31372560f81ea24db57bb18d56143251a8b266
SHA256

95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed
SHA512

14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2340 wrote to memory of 3016	2340	cmd.exe	84
PID 2340 wrote to memory of 3016	2340	cmd.exe	84
PID 2340 wrote to memory of 3016	2340	cmd.exe	84
PID 2340 wrote to memory of 1500	2340	cmd.exe	85
PID 2340 wrote to memory of 1500	2340	cmd.exe	85
PID 2340 wrote to memory of 1500	2340	cmd.exe	85
PID 2340 wrote to memory of 2380	2340	cmd.exe	86
PID 2340 wrote to memory of 2380	2340	cmd.exe	86
PID 2340 wrote to memory of 2380	2340	cmd.exe	86
PID 2340 wrote to memory of 2640	2340	cmd.exe	87
PID 2340 wrote to memory of 2640	2340	cmd.exe	87
PID 2340 wrote to memory of 2640	2340	cmd.exe	87
PID 2340 wrote to memory of 2384	2340	cmd.exe	88
PID 2340 wrote to memory of 2384	2340	cmd.exe	88
PID 2340 wrote to memory of 2384	2340	cmd.exe	88
PID 2340 wrote to memory of 1848	2340	cmd.exe	89
PID 2340 wrote to memory of 1848	2340	cmd.exe	89
PID 2340 wrote to memory of 1848	2340	cmd.exe	89
PID 2340 wrote to memory of 3260	2340	cmd.exe	90
PID 2340 wrote to memory of 3260	2340	cmd.exe	90
PID 2340 wrote to memory of 3260	2340	cmd.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\priv.key

Filesize
344B

MD5
24c9f34075660d2be2791ec372f43a98

SHA1
28c709f1adf1df4a2beacb3d36bae5da09362592

SHA256
48669fd461dce2bbca1bdffd0480b2dab66447246feeaffda18fa3c2ce550504

SHA512
97cbbf4ef75fdc843bf79939e1bbd185814de254c19b9e26bf9248b13dd20f11c1b15def25acdc958c9869a2fd1cfd65625eb15583b62859f8c8fd3571284643

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\pub.key

Filesize
344B

MD5
48b91fa8a796337b91d22b31f8d0db55

SHA1
adeaf46e18b54ba5bc28a0a803930e76e9bcb3d4

SHA256
5c05b3389ecc8b378488c279a6bcb7a9d1c17f6a2fcf8e7c0f45852fce7b836a

SHA512
2ff93b48cbb8c9490f311f225ffa5d0499a85de065b2887c1f04667b685876fadd4a4f32df11f25f6d95aaa1a10842ffaac9f6693464c44b6d22190d46c9998e

Download Submit