lockbit | 3526381b95e916f2272049bdd849089e544231310671ce51b48dda0184a53df1

Analysis

max time kernel
42s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spider.exe
Size

226KB
MD5

2cc214c8c2ad42388b5dff8bc6242012
SHA1

174f80f3deefc0da870f5b54d6a2495f83d755f4
SHA256

3526381b95e916f2272049bdd849089e544231310671ce51b48dda0184a53df1
SHA512

33835742ff31d5fcb251abb701c0b08e21b72ab7ed72e53275361fc13dacf5aa1376b3c3873b92e53d1d8aca355f6eb29b10623a3320568c5caf715bc69478b8
SSDEEP

3072:sr85CDcSNm9V7Dm7i1j0XjuTxqJogYVqJogYg:k9Dc4m9tDm7myGq2Vq2g

Score

10^/10

lockbit neshta discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000600000002023a-1497.dat	family_neshta
behavioral2/memory/828-2895-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/828-2897-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/828-2899-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023bb6-4.dat	family_lockbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	spider.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	spider.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	spider.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1412605595-2147700071-3468511006-1000\desktop.ini	spider.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1412605595-2147700071-3468511006-1000\desktop.ini	spider.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	spider.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	spider.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	spider.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	spider.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	spider.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	spider.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	spider.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	spider.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	spider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	spider.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4880	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe
4740	spider.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeDebugPrivilege	4740	spider.exe
Token: 36	4740	spider.exe
Token: SeImpersonatePrivilege	4740	spider.exe
Token: SeIncBasePriorityPrivilege	4740	spider.exe
Token: SeIncreaseQuotaPrivilege	4740	spider.exe
Token: 33	4740	spider.exe
Token: SeManageVolumePrivilege	4740	spider.exe
Token: SeProfSingleProcessPrivilege	4740	spider.exe
Token: SeRestorePrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSystemProfilePrivilege	4740	spider.exe
Token: SeTakeOwnershipPrivilege	4740	spider.exe
Token: SeShutdownPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeSecurityPrivilege	4740	spider.exe
Token: SeBackupPrivilege	4740	spider.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 4740	828	spider.exe	84
PID 828 wrote to memory of 4740	828	spider.exe	84
PID 828 wrote to memory of 4740	828	spider.exe	84

C:\Users\Admin\AppData\Local\Temp\spider.exe
"C:\Users\Admin\AppData\Local\Temp\spider.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dfsQPArFx.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1412605595-2147700071-3468511006-1000\desktop.ini

Filesize
129B

MD5
11b03bd54491e38dd9b8a7d3e1fd7648

SHA1
c92dd685afd19c6fa56f94a91799b5a01da6d0b0

SHA256
dae634eacf74ebf18881ac96cd869dc37801694cc7412e4d3a8be97900464309

SHA512
b45c2ed44c0625e6bcc117a9d708426d1c57ec4b4f2c3b36c7cdd8dcc5395329e1e6cfdbf0eb82a8afa330c3621087aa54a9c2fd2a1d1ab78b85ecf462670ea9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\spider.exe

Filesize
186KB

MD5
149be3aa2b3b6c5f3cb980cca9e5b53a

SHA1
ac52b531b8aa82222f7f27ea9cc7a080e3ecc4d3

SHA256
f124c47e8176c4c1132a6df2889a046b4da58facf8cc10c3a1b2e296e25709cc

SHA512
e323b97da90389670f2e305e8cbddc4a0a228285cf1ee1f3e728de03f2042b7dc1956638734a59525322d7db82f08f7fd02ab977319c70585aeb8a66fa47c532

Download Submit
C:\dfsQPArFx.README.txt

Filesize
423B

MD5
559d1ac60a934ed435d37e9b6fe4f3ff

SHA1
4fdeb3ffd09bd3973daaf1b5b8bcfbf97b790283

SHA256
2faf1ab36fd967c8d7cfada736327a491eb6c5bf784863c4970ba3108fbae2fa

SHA512
60c767de94e236a527d44715a4d1e11a3864b382f24aad74cabd8b466e03c4baf17a522b4b84ba406210b44e79c18ab6621cf536e2266d0962ca4f2e6ca0b933

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1412605595-2147700071-3468511006-1000\DDDDDDDDDDD

Filesize
129B

MD5
2b6016cd59c42d0ceb5de2b5d4b6c2d1

SHA1
abe5ac29e3839e769a506969cf2137ad0a02dc8a

SHA256
d0cbfa141ea3b0cf6874febade3ef9637e66f9b087f9af96d31364ca87fcfca1

SHA512
a2dcc0c6d4fad16ae669fa526176682a066064d23441562361aec32d421ad59fe791828da41f011278f39b83a2fef06a7afc2e2ec3030cd0faa8fef2789dde88

Download Submit
memory/828-2895-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/828-2897-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/828-2899-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4740-11-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/4740-10-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/4740-9-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download