707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Resubmissions

05/02/2025, 10:54

250205-mzsjdatkc1 10

02/01/2025, 17:47

02/01/2025, 17:37

31/12/2024, 15:09

31/12/2024, 14:28

Analysis

max time kernel
37s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31/12/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main/Build.bat
Size

1KB
MD5

b8f24efd1d30aac9d360db90c8717aee
SHA1

7d31372560f81ea24db57bb18d56143251a8b266
SHA256

95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed
SHA512

14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3976	regedit.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2448	4244	cmd.exe	78
PID 4244 wrote to memory of 2448	4244	cmd.exe	78
PID 4244 wrote to memory of 2448	4244	cmd.exe	78
PID 4244 wrote to memory of 3492	4244	cmd.exe	79
PID 4244 wrote to memory of 3492	4244	cmd.exe	79
PID 4244 wrote to memory of 3492	4244	cmd.exe	79
PID 4244 wrote to memory of 3816	4244	cmd.exe	80
PID 4244 wrote to memory of 3816	4244	cmd.exe	80
PID 4244 wrote to memory of 3816	4244	cmd.exe	80
PID 4244 wrote to memory of 2680	4244	cmd.exe	81
PID 4244 wrote to memory of 2680	4244	cmd.exe	81
PID 4244 wrote to memory of 2680	4244	cmd.exe	81
PID 4244 wrote to memory of 1720	4244	cmd.exe	82
PID 4244 wrote to memory of 1720	4244	cmd.exe	82
PID 4244 wrote to memory of 1720	4244	cmd.exe	82
PID 4244 wrote to memory of 788	4244	cmd.exe	83
PID 4244 wrote to memory of 788	4244	cmd.exe	83
PID 4244 wrote to memory of 788	4244	cmd.exe	83
PID 4244 wrote to memory of 1304	4244	cmd.exe	84
PID 4244 wrote to memory of 1304	4244	cmd.exe	84
PID 4244 wrote to memory of 1304	4244	cmd.exe	84

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3816
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\UnlockReset.reg"
1⤵
- Runs .reg file with regedit
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\priv.key

Filesize
344B

MD5
1fa19303db3cb0fdab0173bb3e0a95e1

SHA1
9bddf78b0fec3aece221cc14de8177dcf978b427

SHA256
c866762e0e7e75927e2d30d0782bba2f0141ac2d22cc6eec24fa2f8b1ba93e63

SHA512
09e2446ac9315ea272490e5cf06a4a5fccf4adec3fd5a82f79a72b96bb716a5b4adab4503c679eac02da93ace7cee58cbbb0d8ad73a3fb2ae5ba0f4cd9ff3e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\pub.key

Filesize
344B

MD5
8bdd862f50d7f37163a889d2a8dc2199

SHA1
134f73f6cb7d264ea346deccbcbb2ccf3ef36b04

SHA256
4af0b4246c003b23e939ae53f9eb27bf676309bc1025c9e46984af179d6641ee

SHA512
aa0c967abf2df372ad27e8e28291a699bfd857b8dae5e2bafeea4cedcf49ca6d5f20d31112ef0b89eeac07ed91cf61bc5436b4ced72b4f80c816e043fc36097b

Download Submit