Overview

overview

10

Static

static

10

Lockbit-Ra...er.exe

windows7-x64

9

Lockbit-Ra...er.exe

windows10-2004-x64

9

Lockbit-Ra...er.exe

windows7-x64

9

Lockbit-Ra...er.exe

windows10-2004-x64

9

Lockbit-Ra...en.exe

windows7-x64

9

Lockbit-Ra...en.exe

windows10-2004-x64

9

Lockbit-Ra...ME.vbs

windows7-x64

1

Lockbit-Ra...ME.vbs

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lockbit-Ransomware-Builder-main/KeyGen.exe

  • Size

    146KB

  • MD5

    39c9477cf131ca5ccc05c8871c0e10e6

  • SHA1

    07b2581b2cb41053d09c4bb896aaabc1d28f2a7b

  • SHA256

    939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb

  • SHA512

    689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129

  • SSDEEP

    1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (620) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\KeyGen.exe
    "C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\KeyGen.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1800
    • C:\ProgramData\AE04.tmp
      "C:\ProgramData\AE04.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5640
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AE04.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5276
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4228
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5304
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{529CFAA1-8CA7-4BCF-A9A5-C4E82C3F0A28}.xps" 133771062840940000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:5544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      b5c4dc63721985816f24a69639bade52

      SHA1

      192259959ca8096fb2390b2e0f43f64984e01bac

      SHA256

      647fd48d340613c91bcfd1c1cf1bf2bb8c05133a44c1134e40a4db51d8d82946

      SHA512

      f7344c0f2cb4a43b09e689123229118020202f639de718fed9b57a7d65e6cedf0498322a409a4e21fd551d3a9690d1a297d4f99050f1ce97c0edcc3e5e29bf38

      Download Submit

    • C:\1pvSvxmZY.README.txt
      Filesize

      348B

      MD5

      9810eed5ecd966874ebeb398ac6531ed

      SHA1

      17d2e2bc15df652734b79185cb323e652559fd6a

      SHA256

      53183e5ed0cf42bed46b17c9dcc92ea49737bb57dce34f1e20675a913796566e

      SHA512

      b26ca61461ed8b09f037e33d209cd0a22959b89e3e7895e057f544010fd5ae037e4fa76311763c121cd6e8b3050de22fa7d2163b4d9cf40585e14f5024e0cb79

      Download Submit

    • C:\ProgramData\AE04.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\BBBBBBBBBB
      Filesize

      146KB

      MD5

      28c7522d735d8d6f27406355a1343b9c

      SHA1

      e41bd6263bc47f2a0d316de1efabf4f248244ae2

      SHA256

      a212445443220238e7f11e6e321a2b5d83b3f7d8d8c271b3b0f230c853a05d0b

      SHA512

      315a1616fc359caabaa51ff13bdcc45d915a5437d319d1d20c3afb875a793273b3da8ce3dc44c12edd2d61d5d1a4a08a4deb53c39c0fc04e1f6e6b96ad6bcaa8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{5B47B57B-B56D-4201-8A0F-F93ED3370CF9}
      Filesize

      4KB

      MD5

      496558b85105f5333311c57a563f3d84

      SHA1

      6543a9893999ec7b9d32f2811b643ecb5a124671

      SHA256

      3ee2f3b46676fc86e344e4081e3848b1add41758d10fe5de1de4e3ac3de5d0c7

      SHA512

      4109f56d888e422188d4cdb68921090bd4440e7f0a1f51adfb12c042d2bf17c8b21f410714ae67830262ac209bf051f28737fe20ab200df5c7bf3dde63c4d9fc

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      7f7ba331f4f6c33c7250e5a23e3dd96e

      SHA1

      826c139d963006f1a73818c380cea37e2bd931bf

      SHA256

      9165b8c06d09a336cbec9307280911fceb7a92b7c436f8ccf3355d446dfa7e90

      SHA512

      b2910d25425f15c6018102698173b0fbbd23e98ec741968908d4a8e70241a3f4824463b01681ddba928284cbdf1f78b9e08bfdacb875d157f61cf2fc05a0cb9e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      f737369365ceffb0d796302c9d769b0a

      SHA1

      516c5f023a44a1250af29a04891fe8d61cbdefd0

      SHA256

      9b63d9903d5a689128a6f16a590fe3b286ffba807ebcfd77fddee7124e88236c

      SHA512

      6e1561dcbd1f4160493bdb5836bed322473d42bfdde9bceba237ab855e1eb40b860bc608bdb2cd85287abdc6c8bcb5b50e69084b9843612c744556ba2e65127e

      Download Submit

    • memory/4776-0-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-1-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-2865-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-2866-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-2867-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-2-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2881-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2886-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2887-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2916-0x00007FFCEFE70000-0x00007FFCEFE80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2917-0x00007FFCEFE70000-0x00007FFCEFE80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2882-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5544-2883-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

      Filesize

      64KB

      Download