Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 10:54
250205-mzsjdatkc1 1002/01/2025, 17:47
250102-wctmlasqdn 1002/01/2025, 17:37
250102-v7dn7asnel 1031/12/2024, 15:09
241231-sjtdmaylbk 1031/12/2024, 14:28
241231-rtcm7axjej 10Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 14:28
Behavioral task
behavioral1
Sample
LockBit-main.zip
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
LockBit-main.zip
Resource
win10v2004-20241007-en
General
-
Target
LockBit-main.zip
-
Size
292KB
-
MD5
68309717a780fd8b4d1a1680874d3e12
-
SHA1
4cfe4f5bbd98fa7e966184e647910d675cdbda43
-
SHA256
707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
-
SHA512
e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
-
SSDEEP
6144:n42LBVCsV+PkMeW9zTiY/NaQmHst5ySPzmcfIMwmafvR:n4EzwkMeWgY1NmyESPB1/aXR
Malware Config
Extracted
blackmatter
25.239
Extracted
C:\4rqQ7D1gV.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blackmatter family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023ba3-18.dat family_lockbit behavioral2/files/0x000a000000023bae-38.dat family_lockbit -
Renames multiple (634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 176C.tmp -
Executes dropped EXE 12 IoCs
pid Process 4296 keygen.exe 4148 builder.exe 3632 builder.exe 1480 builder.exe 4068 builder.exe 224 builder.exe 1012 builder.exe 4688 builder.exe 4384 builder.exe 4480 LB3.exe 6780 LB3Decryptor.exe 1524 176C.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPt8qt75_x1c20hh4lo__6z4a9b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP5w62ig8ry05jufkue2d0nd_0d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPiapk1hj6risx9m5nnea01luyb.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper LB3Decryptor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\4rqQ7D1gV.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\4rqQ7D1gV.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1524 176C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 176C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3Decryptor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop LB3Decryptor.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV\DefaultIcon\ = "C:\\ProgramData\\4rqQ7D1gV.ico" LB3.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\4RQQ7D1GV\DEFAULTICON LB3Decryptor.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV LB3Decryptor.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\.4RQQ7D1GV LB3Decryptor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.4rqQ7D1gV LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.4rqQ7D1gV\ = "4rqQ7D1gV" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV LB3.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 6492 ONENOTE.EXE 6492 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe 4480 LB3.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 4480 LB3.exe 6780 LB3Decryptor.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1960 7zFM.exe Token: 35 1960 7zFM.exe Token: SeSecurityPrivilege 1960 7zFM.exe Token: SeAssignPrimaryTokenPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeDebugPrivilege 4480 LB3.exe Token: 36 4480 LB3.exe Token: SeImpersonatePrivilege 4480 LB3.exe Token: SeIncBasePriorityPrivilege 4480 LB3.exe Token: SeIncreaseQuotaPrivilege 4480 LB3.exe Token: 33 4480 LB3.exe Token: SeManageVolumePrivilege 4480 LB3.exe Token: SeProfSingleProcessPrivilege 4480 LB3.exe Token: SeRestorePrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSystemProfilePrivilege 4480 LB3.exe Token: SeTakeOwnershipPrivilege 4480 LB3.exe Token: SeShutdownPrivilege 4480 LB3.exe Token: SeDebugPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeSecurityPrivilege 4480 LB3.exe Token: SeBackupPrivilege 4480 LB3.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1960 7zFM.exe 1960 7zFM.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 6780 LB3Decryptor.exe 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE 6492 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2852 wrote to memory of 4296 2852 cmd.exe 93 PID 2852 wrote to memory of 4296 2852 cmd.exe 93 PID 2852 wrote to memory of 4296 2852 cmd.exe 93 PID 2852 wrote to memory of 4148 2852 cmd.exe 94 PID 2852 wrote to memory of 4148 2852 cmd.exe 94 PID 2852 wrote to memory of 4148 2852 cmd.exe 94 PID 2852 wrote to memory of 3632 2852 cmd.exe 95 PID 2852 wrote to memory of 3632 2852 cmd.exe 95 PID 2852 wrote to memory of 3632 2852 cmd.exe 95 PID 2852 wrote to memory of 1480 2852 cmd.exe 96 PID 2852 wrote to memory of 1480 2852 cmd.exe 96 PID 2852 wrote to memory of 1480 2852 cmd.exe 96 PID 2852 wrote to memory of 4068 2852 cmd.exe 97 PID 2852 wrote to memory of 4068 2852 cmd.exe 97 PID 2852 wrote to memory of 4068 2852 cmd.exe 97 PID 2852 wrote to memory of 224 2852 cmd.exe 98 PID 2852 wrote to memory of 224 2852 cmd.exe 98 PID 2852 wrote to memory of 224 2852 cmd.exe 98 PID 2852 wrote to memory of 1012 2852 cmd.exe 99 PID 2852 wrote to memory of 1012 2852 cmd.exe 99 PID 2852 wrote to memory of 1012 2852 cmd.exe 99 PID 4480 wrote to memory of 6552 4480 LB3.exe 108 PID 4480 wrote to memory of 6552 4480 LB3.exe 108 PID 2328 wrote to memory of 6492 2328 printfilterpipelinesvc.exe 114 PID 2328 wrote to memory of 6492 2328 printfilterpipelinesvc.exe 114 PID 4480 wrote to memory of 1524 4480 LB3.exe 115 PID 4480 wrote to memory of 1524 4480 LB3.exe 115 PID 4480 wrote to memory of 1524 4480 LB3.exe 115 PID 4480 wrote to memory of 1524 4480 LB3.exe 115 PID 1524 wrote to memory of 6884 1524 176C.tmp 116 PID 1524 wrote to memory of 6884 1524 176C.tmp 116 PID 1524 wrote to memory of 6884 1524 176C.tmp 116
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-main.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\Desktop\LockBit-main\keygen.exekeygen -path Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exebuilder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4148
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exebuilder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3632
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exebuilder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exebuilder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4068
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exebuilder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exebuilder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1012
-
-
C:\Users\Admin\Desktop\LockBit-main\builder.exe"C:\Users\Admin\Desktop\LockBit-main\builder.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4688
-
C:\Users\Admin\Desktop\LockBit-main\builder.exe"C:\Users\Admin\Desktop\LockBit-main\builder.exe"1⤵
- Executes dropped EXE
PID:4384
-
C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe"C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:6552
-
-
C:\ProgramData\176C.tmp"C:\ProgramData\176C.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\176C.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:6884
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:6652
-
C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe"C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:6780
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B8710E38-18BA-411D-B4A0-F497EBB49E92}.xps" 1338012897095200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6492
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-main\Build\Password_exe.txt1⤵PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD51ead198d9db868fa1953e7271bc98dfa
SHA1e7a92efc42a514a989edfaaa6958845edbd66844
SHA2564e49a862d90e7cf5a9a10c4298441314d492885aad0f8d9ce644014746ab5eec
SHA51256a0cac94ed1cc094cb06a63eb341c612b4d890b12033d91356f613bb6d1a1a351d0e85ef60750dbddb2dd627e0500fa2d76d5f6ca3ea6810bcef47c571b3be9
-
Filesize
6KB
MD5dd746ace17e44ace00885b91400f11d5
SHA14a0302d2dca400598f396e4230fdae71779cbeaa
SHA256b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA5128ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc
Filesize36KB
MD5eab75a01498a0489b0c35e8b7d0036e5
SHA1fd80fe2630e0443d1a1cef2bdb21257f3a162f86
SHA256fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47
SHA5122ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656134012488.txt
Filesize77KB
MD5c0e4491397e1632f4c6779f98fe2ae67
SHA1d56726882e08f1ac131178b7c935b8e8df05de7a
SHA256d02b9da05522b36b841d5b4dc1eb3c142b46708b1ad449795ea5e52a3614fe96
SHA5124578aa20251cad20dea402cbf7878d4df348cc3b79cbe9c98d2cbf676540e65a1b2087cb2eec8f64e8559c20e7fb54e0e5b827c124f7e400e1a68d435aaf7524
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658101903738.txt
Filesize47KB
MD5cb3c835fc52da4547a6cb9897ede57be
SHA19c24d5ce02566c79f727de45379dffdf62ebe7f1
SHA256f4909f72e99bd64fdb03a651e54b8a4f7a1dd165215778e1ea5f4e922d40aa61
SHA51288b0556be5937735d1f1749430862e10dcd99b58eb8d79c7b217039289fdacc4c9a5017bf7499a7e01673801d71c80b7069c6863e39238a42f88552dde10845e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664064470971.txt
Filesize65KB
MD545f5e32d526230a0a91c803d040880ad
SHA1dc6d20324ac7f9f7c813b85bb895c9ed3f72bd3c
SHA25694e414deb8664f125e96af25d50ffc6dcb9ebe556a8113cdadb09e7c8c0a290f
SHA5127b2cd12e8129f8c63265c09fa93e333abc8a0d7b38cb6957f9719cc16ff38d1d6d3f5b728a6ddfebecd2f12957a9ef54bdf6607efcc868f7a7e92cdd44668d74
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133801289514848510.txt
Filesize75KB
MD5d51568ad518490a361b9c2d58129115c
SHA1bd2447b4786fc0e1b96df394daacbeac3cba303a
SHA25661b3bd5591db4613587425b0bd0d8fd7a37a6f98967c90af780fa031571e51ec
SHA512e77c4640b8b90c3ae396013afef1f7c2b1da9a6d617f718bad235d9d0e3f59569569f4c4eb564f6c909158f109f02b9f2f54db83ede7ca727ec8690c874fdc30
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD5a8308d2f3dde0745e8b678bf69a2ecd0
SHA1c0ee6155b9b6913c69678f323e2eabfd377c479a
SHA2567fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555
SHA5129a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Filesize32KB
MD5b7c14ec6110fa820ca6b65f5aec85911
SHA1608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SHA512d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize48KB
MD519dfc6df8220d8defe6c6871b57be2b9
SHA164ede7896dc552e69c66391f2c6f417f877127d8
SHA2568f66796eca9e72b96bb43b0402c56b94af7d90b0931d32b4a28e2b4daecb9e94
SHA512eb773f3bb1c16b4617083d0b13f4de5079fb36eca2c314f743aa34c6c6b54bc53ed3425d0bd5525d66e8f80ba2ce5b103898dad49703bb40cb7dc0e3273868b1
-
Filesize
1KB
MD5b8f24efd1d30aac9d360db90c8717aee
SHA17d31372560f81ea24db57bb18d56143251a8b266
SHA25695df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed
SHA51214ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032
-
Filesize
153KB
MD5b21576baa87577e18bf131292f61dd21
SHA1cf9079625a71c51988ffc0fdfaf7e1290f25f7f1
SHA2562bfc66a6db7fe8ca7ca9ce5ecbe2ba253bac66e63c7ba76d1764bcc6dd8383f1
SHA512b89ef8bdf50804a44d2a45526edef7c308d134c42ae9f32684e9f76e1cab8995f34fe8a1789c670d7d99e7e0a64f61ea686545f942d0a767871746cef82d1db0
-
Filesize
265B
MD53cd675e7331c60b7b0bd5ab0b516e546
SHA1551a764b26d810b9c3ce382d99af56c25eb4b956
SHA2562bb8eafc72cfdc5879c94c1e3b85c7b33f94c38b1c06dfd96e2e6467cc75058c
SHA512790613112c9f4ca124daf7b2a12f50104a46bd2221e6ec4a2fe02746d8d9f950585914bc94663e811adc5f1d9bbf7cff5e27722e16db77ba96a47e4a649d6819
-
Filesize
153KB
MD5072505cadbb6670219cb4e5a7e3c5eb8
SHA15cc395cd38067a81e22aef97e552b2910866b1e0
SHA25672dfab7d5857bc1c358d5719fb0f7cc851143002851155a7081e807bf1025bfa
SHA5124a0a1720510d8b16da209fff9831edcd9f577969494a6bed1630fa30c908314ec9b1befe55041db9cb9132d60d6206050868cd1295a5f2d4fbee7a7972e7cd23
-
Filesize
54KB
MD5255ae4d32b8ea42a3fbbe9c8fc40e481
SHA1cd12144758a946537c0e8ad57965647d3387b2f1
SHA2560df751329c62821f7fda006c6f24c9d9720d1aad75eb365dfb15f0a0ec107404
SHA512ae349e33845ebd7e5033e208355e6db17ccedc3e76973400a434c533146f9bb35b7df5f58b288cf90493540a3fbe4b0bf75eb6eb643563e6ec89d58de3aedfc7
-
Filesize
2KB
MD5b1a0223ba60e1833695f07989736d442
SHA1c9b383de5d2b6bade92b0b8539bd9f0f3ae11fed
SHA256cdc6f98de70dda8d3f88a3792577fbd52b39eb19fbfd27b4b32f272a121d6c13
SHA512476cfea0bb677d271b757e88d8d254a3bbcb377af981c498e9845a1ccc47122c1ade0e46fc85b69c523c24a4beaf65abdc75f60c37e0a2f2f2fb2f90210fb4df
-
Filesize
2KB
MD5d6960c532478a1522cf2850734961bfd
SHA16e12efaeda4d4793b835d0d14fda92de47178fc4
SHA25616363e1ccf7a6bc3c7ed0293e1d21fbce7877292b01d043dbe09ce26b75e34e6
SHA512373199befef493dc939d5a55f4a9ec4521c8ece74dba00a7c32b8fa2b704121ef1ebbabc002afa4b52cf7b3fae26af09426c120f78e70d9327d23e8caea1e10b
-
Filesize
344B
MD59516b6bd999b5b315e199c5c934badc8
SHA121f1ce31cd94df118facb072fcbda172167b630d
SHA25675e0fbc3a2bf6fa67019d758cb60414cdc2b104061cd269bd4a7fdadeddedb6e
SHA512e190ff863a84ffadfc2ae33a43fbd78ad66a00b3e7debba9350dc047ef25e6a19ac0e98787c86d79715dc7822474c2e41bfcecb43ba7e70875c74f2040202654
-
Filesize
344B
MD57646505d94b376464f8932c8b5f9fab9
SHA141ed78aede49efc69b261bd341f050a93394e23e
SHA2561311b06d1f4adaa5a945d4cf6c5ed9741eaede696f10c37d0ae5ddc0c331a613
SHA512320d85b99653079a5c1e28f6a2996d825e100983358e7d0c9296a3bd9c724c58311ac11debf4e4d8a9b4da48286d5c9b22792bc7e0b3298f75202ccbd2d2f1c4
-
Filesize
4KB
MD5d2a6c0f2726e529e9e434946db4d7015
SHA1ae71e212526a4203939ea68a11a08803f40f8fd0
SHA25621de073d7de49abaa4ac8cbe0483565e7fa94ee6a5037faa59a1c21bf0308db4
SHA512c97a776ae8782f8204a3f93f7719d4b93728c1a3e19099f384e461815d7b4b3e4b6f8f8fc15efa1a10cab46ca20174af61faab84980c4a9a20552e3ea50f6484
-
Filesize
469KB
MD5c2bc344f6dde0573ea9acdfb6698bf4c
SHA1d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0
-
Filesize
8KB
MD5de177fa08e9b2eaa378760afd53be6b2
SHA1a18050f9e5f2412955df4b868ffb866209d2b84a
SHA256d121f4293160e0a39cbb184c032cd45baf1372db00cd33afb0e166ac0a60ac4c
SHA51244f4e745013eaa7d95486c91457c23fd9694f859920766f0139cf5ca9c84ff6c82d59be9675dd1a0c7b3216464c85cf732dbbdb0e641a5e47cbbf1830f4a0a8c
-
Filesize
31KB
MD571c3b2f765b04d0b7ea0328f6ce0c4e2
SHA1bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
SHA256ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
SHA5121923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035
-
Filesize
380KB
MD52f22e278ac06d35ab36235a4470486d8
SHA1794ec62949578cdd5a7e141cf005a07df3dd9f9d
SHA256811ec0cbbe0e048c7ea77387763ea0559c87e6d26711a7e42bb23d868ec77c5f
SHA51266d7a632d7741873f5f7a9dc767734fb56e4fbbaf2ff8b0cfa7d0f81431bfa6884e7a03589a9ea20e38bdeffc7926f48202a78803b70203995eb23c1deb299af
-
Filesize
86KB
MD5d54f62c8c4c4f078da690a069421d04c
SHA1f3ccb094bbd680192b1e560b8f52742890320f20
SHA256ccf6893b47c768527ee7b69e7da011839ff8b489fced25c5a8814cd005e9d45b
SHA512eb805782a9ffd93a5ab1560ff0baf95bce4014ee243dd51932c96a327ec5f952becb90801eb3561cceaa014ffdb9baa6b4ee28c039783d6eb3ca28fef5647895
-
Filesize
396KB
MD545641586382986f6700414583942a60e
SHA1c2eed667c03667d4a6e2dd4fa52a91a5eb7a2e41
SHA256a61d34239f7feb92597404853039450bcec9d889cb190b97d9c0e08c1b06a986
SHA512b4e0bc460bc327bc23883b3fdb52f21e1f2ed8fb9ac574e0da3d58c35b417f893b9f10a5957949610085995c933745289a8ce1c3e05cac215d41389dc22f7ab7
-
Filesize
82KB
MD53ecca1e2281fc8d496efbcb669ce2506
SHA164739a1f9a5f457ef5b1994a8add25eed1402cab
SHA256e6c2b122f0f157358929af4aba3c0f71b3722f8046a0b857a88d71d87deae62e
SHA512839cfcf323926f35331d1cd7f7db705659575c4d08c2de5852df8cce84e5639bfd996150300cd4678d9a23606eff837aaf28791550276a1ab5cbf06df27d994a
-
Filesize
168KB
MD524c3f40c53151e72261b9d64b063c106
SHA1588cac8c85d9acf11d66836aab1f97036b8eec79
SHA2566ffc95b20f77e8b143b9f87b6448cba9f0ef7316fdc12136f12fe72a835b7e99
SHA512ad03d9d7e73fdb4bdbd66856d8fb59b58fc930c1d39d180e2335b6882608e70c3d62e1ef52d23331df93e2b3808b50331066328a9a41730491af5c7606393a7d
-
Filesize
195KB
MD50325286469a4587a6c69b67284e05bd3
SHA11eb465bac873c5c1c12a1bfbec11f02e74dc4146
SHA2560edcf49f224c8fa09c689e048770f6180390f3adbee9f9d61fdea528ca6b07d7
SHA512353b2df45b4348f18a80cd46d6737c58380d80865e01ad6197f8953bb49ab18dddb33279e7c99f4273bc28db624a86e056db047cb8c61a628dbc2f8cd42d6d6d
-
Filesize
171KB
MD5130aab113d2e2dd2530f939769b0dac5
SHA1f7ef463879c29e92a0bc64e553f5ebd78064cdcf
SHA256028d18705f87e4fe38095a3d377649fad342cff826fc24d67f9f7909b903f8e8
SHA512e32c1d1c743e1c6cdf97f4c672c3c642e207b5e11cf01150636f44a2558d7ac88ce5d429b2a026526296af392c18a9a2d49c9611a70077d383329ca5a44a5431
-
Filesize
208KB
MD524e27c76950764c685aa23f3bda615d6
SHA10d3da261b25aa06326fcf2800b709a461eda08e5
SHA256737cec10dc34435913569b563d6e27e8ce87514ac638c6a860baf8879d4abc7f
SHA5129da979ad6feef631d58cb6912d654a952fee168daeb3d8289b177d4191870f83f2d887754be6197edad92b0201140719235e478fea703154450e2d0bf509bc0f
-
Filesize
170KB
MD52abec299451d06912defd260c42ae395
SHA1e8879ba9ad9f6647563f2cc27d4fde7368d5869a
SHA256419f3ae37aa5f3af0d6abf769a5316b63534675e4a24893e8972db7855c9a698
SHA512be58fca83827ae1bc1dbdfaba6078dd3b0e64f72039dd06d6c7cc1e7905567cb8f3dd3e596a431f5e83e0684cb3e6b39a7bbb5a5eeb84645ffcbabfe3f615905
-
Filesize
191KB
MD5527f808cf7799a9314c450892ff70540
SHA1a85ee3b06bdfee825d4db46a1d29c72f2929cb89
SHA25601c9c5ac5002243f958fef7e2cfb910f2a1f2c8d34f8b5ec9055216a7b6ebeb5
SHA5127d7fe06075466d1933eed580250d086755c624e40d22e0612b47710416012a9c25ec029ed4ae2e5a49c708190c2659352d26f415b9f8ff7ee679aa5a54f09bd6
-
Filesize
170KB
MD5a93119765e7313bd85e65860fa88a3df
SHA190fd2cbad36ec112a8584aeb54a9e280df74b451
SHA2566193ea4e874e616da8f53e67b99c52da4d9ab0d0c51c05ac36b919c600e68234
SHA512b3a1017c9c58fdbbaec11a87779a469dc3234bc289d3638f53a92954587e367a4e486d12cc304da578c1122d23a42178ce03e25cd9a49b951185632d72271f9e
-
Filesize
198KB
MD5cb6a5818a183fad9e892a211084dc482
SHA1763102925605f334869ec0b2260289638d91613e
SHA2568f0557c1a9be34fbc42970e3fb17fd4f42a52caaa3b5f9356e52fb6bc37309e8
SHA512b50527788066b66257b30d327301eac8a01b10072615f646d3243d587caa336f1db9800fb463fe32ce19e03a7a91e2531050dc4c902605122a04f8c4a6f2476b
-
Filesize
123KB
MD5c87e8c8eb228e4d28410cf4a08e906f2
SHA1edbeff7b9c1e70e7cc3668cbbb86c6ac2251a68d
SHA256dfc87a7289b82955b51901f980bfcd8ef440f2ec1e849b600b41b0881613a9d5
SHA5124fd43031aca56b345343d39e84000a2473d9f69ac14b92419b9af6a25e4c49007f83bff3793b76f061fbf886308304ace60445aff5f6d51826f50d61ca68eb5b
-
Filesize
130KB
MD5100d76973de8962d4dc46e69536d0b79
SHA11c4499378a4dafffcf7b3c0ceefeba2bc83fa68e
SHA256ef080cb227f50b693a3b1f388da6da7e3c5e5c2b9783f0081577df2cdd421d05
SHA5128efa536b1affacba452002e1a171074d82da98277ee3e40b2d6f0357566ce6dcfb1760def09e6573259bae3c4d38cc55ed84cd77649d6e4ed265881fb209fdc4
-
Filesize
129B
MD5d8d6403554ab54d615e63c8e7e5dd00e
SHA13ac4374402466e3d25d2c8f09dddc263e9d04840
SHA256ab3f48770bd278ca5c542744f67539bbb21e34746abf2618c8ce2fad74507ccb
SHA512bc4923d40cb1a546af8114ec6a4dd17b81e2cb9a78386a9a7cd923b314336d634ba1070b101d55819dfa87b64c892e7aa1babcc842f50f1ff6a6958077c130a4