lockbit | 3526381b95e916f2272049bdd849089e544231310671ce51b48dda0184a53df1

Analysis

max time kernel
125s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spider.exe
Size

226KB
MD5

2cc214c8c2ad42388b5dff8bc6242012
SHA1

174f80f3deefc0da870f5b54d6a2495f83d755f4
SHA256

3526381b95e916f2272049bdd849089e544231310671ce51b48dda0184a53df1
SHA512

33835742ff31d5fcb251abb701c0b08e21b72ab7ed72e53275361fc13dacf5aa1376b3c3873b92e53d1d8aca355f6eb29b10623a3320568c5caf715bc69478b8
SSDEEP

3072:sr85CDcSNm9V7Dm7i1j0XjuTxqJogYVqJogYg:k9Dc4m9tDm7myGq2Vq2g

Score

10^/10

lockbit neshta discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010319-13.dat	family_neshta
behavioral1/memory/2076-933-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2076-935-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018718-4.dat	family_lockbit

Executes dropped EXE 1 IoCs

pid	Process
2372	spider.exe

Loads dropped DLL 3 IoCs

pid	Process
2076	spider.exe
2076	spider.exe
2076	spider.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	spider.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini	spider.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini	spider.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	spider.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	spider.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	spider.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	spider.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	spider.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	spider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	spider.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1724	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2372	spider.exe
2372	spider.exe
2372	spider.exe
2372	spider.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeDebugPrivilege	2372	spider.exe
Token: 36	2372	spider.exe
Token: SeImpersonatePrivilege	2372	spider.exe
Token: SeIncBasePriorityPrivilege	2372	spider.exe
Token: SeIncreaseQuotaPrivilege	2372	spider.exe
Token: 33	2372	spider.exe
Token: SeManageVolumePrivilege	2372	spider.exe
Token: SeProfSingleProcessPrivilege	2372	spider.exe
Token: SeRestorePrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSystemProfilePrivilege	2372	spider.exe
Token: SeTakeOwnershipPrivilege	2372	spider.exe
Token: SeShutdownPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeSecurityPrivilege	2372	spider.exe
Token: SeBackupPrivilege	2372	spider.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2372	2076	spider.exe	30
PID 2076 wrote to memory of 2372	2076	spider.exe	30
PID 2076 wrote to memory of 2372	2076	spider.exe	30
PID 2076 wrote to memory of 2372	2076	spider.exe	30

C:\Users\Admin\AppData\Local\Temp\spider.exe
"C:\Users\Admin\AppData\Local\Temp\spider.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dfsQPArFx.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini

Filesize
129B

MD5
f1d49e0760241b542b3bbf0304327553

SHA1
b0d18666a4a336717a5bae63df3c4be9a6c340b9

SHA256
72a50ced0e064f9d3296092dc13136c13eeb9c8f9c5cdbc365f765a859bfb6e3

SHA512
86a326807fcfa818a1cf30d2cea95b593425fa7a8e30aa54b5b3b3875d70b9aa35c7b4238018ba79b492b3d0b55fc433dbf9ff855dd61fa4f014e1e160720f0f

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\dfsQPArFx.README.txt

Filesize
423B

MD5
ae63d7bf281e627c30422962be7162aa

SHA1
9da6b0480be8e4dbca07df9b09d98220ff13f4d4

SHA256
379df105fc29d2595edd47a27df10a30009ae0e416bd6bca2a2f13ec74dab805

SHA512
355c2944f9d08adc2f46a81455163477c4bc6f0e9716145feaf1686e6ee6b08ba1e038bd3ef0fb31f6a1e8250e36ea0720ab9385d9f0fca55e3ff39da76f8ab9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\DDDDDDDDDDD

Filesize
129B

MD5
5a08080c61bf0411aa628d082dd91267

SHA1
09e72edf015e22789ab3bdaf1a964b39660d28a0

SHA256
fb896002c2186246f382a07cd86fc762e16edea12164dbe8df1ec6f66a9cb898

SHA512
85e2f64a2bffc3a4ec6f9f756348792f0a42094aff91c2405029ad78411f2e611779f1675008c9bdb09c52fd3939d6ec3f9b50dd7f49982c3f41825e998281b2

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\spider.exe

Filesize
186KB

MD5
149be3aa2b3b6c5f3cb980cca9e5b53a

SHA1
ac52b531b8aa82222f7f27ea9cc7a080e3ecc4d3

SHA256
f124c47e8176c4c1132a6df2889a046b4da58facf8cc10c3a1b2e296e25709cc

SHA512
e323b97da90389670f2e305e8cbddc4a0a228285cf1ee1f3e728de03f2042b7dc1956638734a59525322d7db82f08f7fd02ab977319c70585aeb8a66fa47c532

Download Submit
memory/2076-933-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-935-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-14-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download