lockbit | 3526381b95e916f2272049bdd849089e544231310671ce51b48dda0184a53df1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spider.exe
Size

226KB
MD5

2cc214c8c2ad42388b5dff8bc6242012
SHA1

174f80f3deefc0da870f5b54d6a2495f83d755f4
SHA256

3526381b95e916f2272049bdd849089e544231310671ce51b48dda0184a53df1
SHA512

33835742ff31d5fcb251abb701c0b08e21b72ab7ed72e53275361fc13dacf5aa1376b3c3873b92e53d1d8aca355f6eb29b10623a3320568c5caf715bc69478b8
SSDEEP

3072:sr85CDcSNm9V7Dm7i1j0XjuTxqJogYVqJogYg:k9Dc4m9tDm7myGq2Vq2g

Score

10^/10

lockbit neshta discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020223-1805.dat	family_neshta
behavioral2/memory/1084-3004-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1084-3005-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1084-3007-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c5f-4.dat	family_lockbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spider.exe

Executes dropped EXE 1 IoCs

pid	Process
1464	spider.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	spider.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	spider.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	spider.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	spider.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	spider.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	spider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	spider.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe
1464	spider.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeDebugPrivilege	1464	spider.exe
Token: 36	1464	spider.exe
Token: SeImpersonatePrivilege	1464	spider.exe
Token: SeIncBasePriorityPrivilege	1464	spider.exe
Token: SeIncreaseQuotaPrivilege	1464	spider.exe
Token: 33	1464	spider.exe
Token: SeManageVolumePrivilege	1464	spider.exe
Token: SeProfSingleProcessPrivilege	1464	spider.exe
Token: SeRestorePrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSystemProfilePrivilege	1464	spider.exe
Token: SeTakeOwnershipPrivilege	1464	spider.exe
Token: SeShutdownPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeSecurityPrivilege	1464	spider.exe
Token: SeBackupPrivilege	1464	spider.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1464	1084	spider.exe	82
PID 1084 wrote to memory of 1464	1084	spider.exe	82
PID 1084 wrote to memory of 1464	1084	spider.exe	82

C:\Users\Admin\AppData\Local\Temp\spider.exe
"C:\Users\Admin\AppData\Local\Temp\spider.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini

Filesize
129B

MD5
691e2bb5a8232e9dbd9251b91637bcdb

SHA1
317dce3a02de5dc3305968e8769d4faccaf95a5d

SHA256
0faa83e2d443ee9db56470f99da3d126725096fab1140dd7eb351f16f9d33c88

SHA512
4e15390d111f5978778462c98ec32165828296d0f7c1a050fb6689e267b5382a70cf4b1bada1109be96fe1c7e5d7103d362949778dd409f81e9a0e7e28188b03

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe

Filesize
186KB

MD5
149be3aa2b3b6c5f3cb980cca9e5b53a

SHA1
ac52b531b8aa82222f7f27ea9cc7a080e3ecc4d3

SHA256
f124c47e8176c4c1132a6df2889a046b4da58facf8cc10c3a1b2e296e25709cc

SHA512
e323b97da90389670f2e305e8cbddc4a0a228285cf1ee1f3e728de03f2042b7dc1956638734a59525322d7db82f08f7fd02ab977319c70585aeb8a66fa47c532

Download Submit
C:\dfsQPArFx.README.txt

Filesize
423B

MD5
e1d2c18f4974398cba2452dc526213e7

SHA1
02deac51128d0fdfa9a97ae81cc23eb225d1d8cf

SHA256
35d7dff06288a2c5479e5f967a671c1c7d41cba16d00ead59ce658418fcffb52

SHA512
97289495d55ef13f1f8a78a720254e1676671967ac122d7ba0370282906ec74ba415fd9b7bb4e4c052e2918d4f9f53482d05880031a9dc25754fce2cdea43fa0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\DDDDDDDDDDD

Filesize
129B

MD5
1305e2cc6914267138a1b4edfe88f74a

SHA1
e53c05ad81df7db5955794b5eaafc20624e1b995

SHA256
f583510dc259688d1706f8d71da1e2d3e0dfef374fe9d6801b9ace685a373104

SHA512
1cd2eadab86b0033b3a9d00161ab6e5dcef4a57663dd040333a3c8e5607e9bdeb2a7ea49926736e335a83a961aa08f50e6db27c07827dbd4911603d24f04d17a

Download Submit
memory/1084-3004-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-3007-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-3005-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1464-11-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1464-3002-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1464-3001-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1464-3003-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1464-9-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1464-10-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download