Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Lockbit-Ra...er.exe
windows7-x64
9Lockbit-Ra...er.exe
windows10-2004-x64
9Lockbit-Ra...er.exe
windows7-x64
9Lockbit-Ra...er.exe
windows10-2004-x64
9Lockbit-Ra...en.exe
windows7-x64
9Lockbit-Ra...en.exe
windows10-2004-x64
9Lockbit-Ra...ME.vbs
windows7-x64
1Lockbit-Ra...ME.vbs
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2024, 14:21
Behavioral task
behavioral1
Sample
Lockbit-Ransomware-Builder-main/Builder.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Lockbit-Ransomware-Builder-main/Builder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Lockbit-Ransomware-Builder-main/Decrypter.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Lockbit-Ransomware-Builder-main/Decrypter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Lockbit-Ransomware-Builder-main/KeyGen.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Lockbit-Ransomware-Builder-main/KeyGen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Lockbit-Ransomware-Builder-main/README.vbs
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Lockbit-Ransomware-Builder-main/README.vbs
Resource
win10v2004-20241007-en
General
-
Target
Lockbit-Ransomware-Builder-main/KeyGen.exe
-
Size
146KB
-
MD5
39c9477cf131ca5ccc05c8871c0e10e6
-
SHA1
07b2581b2cb41053d09c4bb896aaabc1d28f2a7b
-
SHA256
939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb
-
SHA512
689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129
-
SSDEEP
1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT
Malware Config
Signatures
-
Renames multiple (633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation F3A8.tmp -
Deletes itself 1 IoCs
pid Process 4172 F3A8.tmp -
Executes dropped EXE 1 IoCs
pid Process 4172 F3A8.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini KeyGen.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini KeyGen.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPza10fbrh6rjny2260z0nh6q1d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPnbn50lt_lbrockakdlvf3ds9c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0sromhljt96r0nfsibm43pxhc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1pvSvxmZY.bmp" KeyGen.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1pvSvxmZY.bmp" KeyGen.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4172 F3A8.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F3A8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KeyGen.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop KeyGen.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "10" KeyGen.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon\ = "C:\\ProgramData\\1pvSvxmZY.ico" KeyGen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY KeyGen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY\ = "1pvSvxmZY" KeyGen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon KeyGen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY KeyGen.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe 1768 KeyGen.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp 4172 F3A8.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeDebugPrivilege 1768 KeyGen.exe Token: 36 1768 KeyGen.exe Token: SeImpersonatePrivilege 1768 KeyGen.exe Token: SeIncBasePriorityPrivilege 1768 KeyGen.exe Token: SeIncreaseQuotaPrivilege 1768 KeyGen.exe Token: 33 1768 KeyGen.exe Token: SeManageVolumePrivilege 1768 KeyGen.exe Token: SeProfSingleProcessPrivilege 1768 KeyGen.exe Token: SeRestorePrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSystemProfilePrivilege 1768 KeyGen.exe Token: SeTakeOwnershipPrivilege 1768 KeyGen.exe Token: SeShutdownPrivilege 1768 KeyGen.exe Token: SeDebugPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeBackupPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe Token: SeSecurityPrivilege 1768 KeyGen.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE 980 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2204 1768 KeyGen.exe 91 PID 1768 wrote to memory of 2204 1768 KeyGen.exe 91 PID 1900 wrote to memory of 980 1900 printfilterpipelinesvc.exe 98 PID 1900 wrote to memory of 980 1900 printfilterpipelinesvc.exe 98 PID 1768 wrote to memory of 4172 1768 KeyGen.exe 100 PID 1768 wrote to memory of 4172 1768 KeyGen.exe 100 PID 1768 wrote to memory of 4172 1768 KeyGen.exe 100 PID 1768 wrote to memory of 4172 1768 KeyGen.exe 100 PID 4172 wrote to memory of 1352 4172 F3A8.tmp 101 PID 4172 wrote to memory of 1352 4172 F3A8.tmp 101 PID 4172 wrote to memory of 1352 4172 F3A8.tmp 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\KeyGen.exe"C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\KeyGen.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2204
-
-
C:\ProgramData\F3A8.tmp"C:\ProgramData\F3A8.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F3A8.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4496
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2D1D0379-2C92-476F-A337-872B18538995}.xps" 1337710449715600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5694dda34207c222cc57c22611b7f57ee
SHA17832c394ee2f9d603bb75c8a02698b04fa9a1d6e
SHA256200e569921e603cf6d226aa7f6f106e3671a3560ae64e558309cfe9e38ee308b
SHA51252cd5ff29e7bd5ca80b8d9b5f09373db5446cd3bda606baf1cb6cc346470610eb8df82ed545b70a8aba60dc51b9a21056d437a057e5d4bf49bb6ba157a08bb57
-
Filesize
348B
MD59810eed5ecd966874ebeb398ac6531ed
SHA117d2e2bc15df652734b79185cb323e652559fd6a
SHA25653183e5ed0cf42bed46b17c9dcc92ea49737bb57dce34f1e20675a913796566e
SHA512b26ca61461ed8b09f037e33d209cd0a22959b89e3e7895e057f544010fd5ae037e4fa76311763c121cd6e8b3050de22fa7d2163b4d9cf40585e14f5024e0cb79
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD5fbf55bc0d705b30bb0002c279dd1d31f
SHA1d2aa0216710e7de9fa8014b55e56c01288ce2bf8
SHA256bee433ae6c1ea7c42762811b77980bd9933599e462e00af20fe286461cf2068b
SHA512019d09002e2cd9bc971934a2495fce31e3af80e79cf9f067bffe16426b9726302da41e631dbadb4cf1ff884016c96d9c64771ee7ca3a594547645105664c0a96
-
Filesize
4KB
MD54e21b3df103ae131931ea2a8276582b1
SHA147ab128cf3c39a1220858d2906eae7d0caeb8b1d
SHA25685a470a4da8027d44fef24d8f099de2cb64ec4640c41a7520f122402ae8da3fe
SHA5127c43bec171901e409af276eb7af897e089f9a3a0004fa0511b215f0b973e7adad4980853b61c34312bc85b04db3473f5ecaa473c5a8255ed1d91b31947c4d6c8
-
Filesize
129B
MD5d00cd9b1f789d4956b3ff06d1e81a565
SHA160d15bdbe108aaf64d175770293b2a74a464bd9f
SHA2563f6bc6040f9e738215c2ed075383f31735ac2e69955467db2b4243535a236384
SHA51201a5ab272071f77402dd02d4d184b626203868d061096ffa0abccb7bafbe3e5e3f565e8105b7c96f4a056223a8942291f846e25087797f7955da749ee21781cd