707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Resubmissions

02-01-2025 17:47

250102-wctmlasqdn 10

02-01-2025 17:37

250102-v7dn7asnel 10

31-12-2024 15:09

241231-sjtdmaylbk 10

31-12-2024 14:28

241231-rtcm7axjej 10

Analysis

max time kernel
147s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main/Build.bat
Size

1KB
MD5

b8f24efd1d30aac9d360db90c8717aee
SHA1

7d31372560f81ea24db57bb18d56143251a8b266
SHA256

95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed
SHA512

14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 644	2948	cmd.exe	78
PID 2948 wrote to memory of 644	2948	cmd.exe	78
PID 2948 wrote to memory of 644	2948	cmd.exe	78
PID 2948 wrote to memory of 4060	2948	cmd.exe	79
PID 2948 wrote to memory of 4060	2948	cmd.exe	79
PID 2948 wrote to memory of 4060	2948	cmd.exe	79
PID 2948 wrote to memory of 4088	2948	cmd.exe	80
PID 2948 wrote to memory of 4088	2948	cmd.exe	80
PID 2948 wrote to memory of 4088	2948	cmd.exe	80
PID 2948 wrote to memory of 2056	2948	cmd.exe	81
PID 2948 wrote to memory of 2056	2948	cmd.exe	81
PID 2948 wrote to memory of 2056	2948	cmd.exe	81
PID 2948 wrote to memory of 1860	2948	cmd.exe	82
PID 2948 wrote to memory of 1860	2948	cmd.exe	82
PID 2948 wrote to memory of 1860	2948	cmd.exe	82
PID 2948 wrote to memory of 3568	2948	cmd.exe	83
PID 2948 wrote to memory of 3568	2948	cmd.exe	83
PID 2948 wrote to memory of 3568	2948	cmd.exe	83
PID 2948 wrote to memory of 1112	2948	cmd.exe	84
PID 2948 wrote to memory of 1112	2948	cmd.exe	84
PID 2948 wrote to memory of 1112	2948	cmd.exe	84

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\priv.key

Filesize
344B

MD5
106388dcd28cdf66160accbf525483f0

SHA1
61ee8c7297b07fd5ea7de68795acb75df095c527

SHA256
a94c4cf49d1545a685e220a808611947aed16825d9d95debb916034beed16bee

SHA512
35aa695b747bdf84ce2e9734ebf12243b9cc40d200fd258538d90759c57eef00f36ebf152a8f6e3a49924a54473839c220ae1964a74df9c0bf6f7850ec510e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-main\Build\pub.key

Filesize
344B

MD5
97d5aad656102d19242765be4fccd999

SHA1
774b84eac0cde0c07a236f3fdd5383726295f84f

SHA256
83318aac27881d58646137ed5f073e5224e75c05ac94e9c0b221dfc6ab84fba8

SHA512
9b3cf2e4c943dc2df9fc50273c743c73bcd8d3ef5e7296d1df8c64b8f2fea132445385cf8becfbb0570e794bf271d52257fa9f53b39a69fdd1d9cbb44ccd82c8

Download Submit