lockbit | hxxps://github[.]com/NNWDeveloper/LockBit-Black-Builder/blob/main/Lockbit%203%20Builder[.]zip

Analysis

max time kernel
110s
max time network
102s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-02-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NNWDeveloper/LockBit-Black-Builder/blob/main/Lockbit%203%20Builder.zip

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\iLmPiOLzG.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B1398B0F17693A15110ABEEAC416797F >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000027e04-292.dat	family_lockbit

Renames multiple (567) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2580446533-3148764140-1073334258-1000\Control Panel\International\Geo\Nation	E77D.tmp

Executes dropped EXE 4 IoCs

pid	Process
4540	LB3.exe
5176	LB3Decryptor.exe
5352	LB3.exe
5412	E77D.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2580446533-3148764140-1073334258-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2580446533-3148764140-1073334258-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
43	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
5176	LB3Decryptor.exe
5352	LB3.exe
5412	E77D.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E77D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iLmPiOLzG	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iLmPiOLzG\DefaultIcon\ = "C:\\ProgramData\\iLmPiOLzG.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2580446533-3148764140-1073334258-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iLmPiOLzG\ = "iLmPiOLzG"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iLmPiOLzG\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iLmPiOLzG\ = "iLmPiOLzG"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iLmPiOLzG\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iLmPiOLzG	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iLmPiOLzG	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iLmPiOLzG\DefaultIcon\ = "C:\\ProgramData\\iLmPiOLzG.ico"	LB3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
2008	msedge.exe
2008	msedge.exe
3764	identity_helper.exe
3764	identity_helper.exe
2016	msedge.exe
2016	msedge.exe
1480	msedge.exe
1480	msedge.exe
3012	mspaint.exe
3012	mspaint.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe
4540	LB3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeDebugPrivilege	4540	LB3.exe
Token: 36	4540	LB3.exe
Token: SeImpersonatePrivilege	4540	LB3.exe
Token: SeIncBasePriorityPrivilege	4540	LB3.exe
Token: SeIncreaseQuotaPrivilege	4540	LB3.exe
Token: 33	4540	LB3.exe
Token: SeManageVolumePrivilege	4540	LB3.exe
Token: SeProfSingleProcessPrivilege	4540	LB3.exe
Token: SeRestorePrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSystemProfilePrivilege	4540	LB3.exe
Token: SeTakeOwnershipPrivilege	4540	LB3.exe
Token: SeShutdownPrivilege	4540	LB3.exe
Token: SeDebugPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	5176	LB3Decryptor.exe
Token: SeDebugPrivilege	5176	LB3Decryptor.exe
Token: 36	5176	LB3Decryptor.exe
Token: SeImpersonatePrivilege	5176	LB3Decryptor.exe
Token: SeIncBasePriorityPrivilege	5176	LB3Decryptor.exe
Token: SeIncreaseQuotaPrivilege	5176	LB3Decryptor.exe
Token: 33	5176	LB3Decryptor.exe
Token: SeManageVolumePrivilege	5176	LB3Decryptor.exe
Token: SeProfSingleProcessPrivilege	5176	LB3Decryptor.exe
Token: SeRestorePrivilege	5176	LB3Decryptor.exe
Token: SeSecurityPrivilege	5176	LB3Decryptor.exe
Token: SeSystemProfilePrivilege	5176	LB3Decryptor.exe
Token: SeTakeOwnershipPrivilege	5176	LB3Decryptor.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeBackupPrivilege	4540	LB3.exe
Token: SeSecurityPrivilege	4540	LB3.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3012	mspaint.exe
3012	mspaint.exe
3012	mspaint.exe
3012	mspaint.exe
5176	LB3Decryptor.exe
5452	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1784	2008	msedge.exe	83
PID 2008 wrote to memory of 1784	2008	msedge.exe	83
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4612	2008	msedge.exe	84
PID 2008 wrote to memory of 4732	2008	msedge.exe	85
PID 2008 wrote to memory of 4732	2008	msedge.exe	85
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86
PID 2008 wrote to memory of 1820	2008	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NNWDeveloper/LockBit-Black-Builder/blob/main/Lockbit%203%20Builder.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xe0,0x134,0x7ff84a9646f8,0x7ff84a964708,0x7ff84a964718
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3073218604863050565,16976722882031377614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1484

C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
"C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build.bat" "
1⤵
PID:4540
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe
  keygen -path C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build -pubkey pub.key -privkey priv.key
  2⤵
  PID:2780
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
  builder -type dec -privkey C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\LB3Decryptor.exe
  2⤵
  PID:2572
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\LB3.exe
  2⤵
  PID:4336
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\LB3_pass.exe
  2⤵
  PID:1968
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\LB3_Rundll32.dll
  2⤵
  PID:4000
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\LB3_Rundll32_pass.dll
  2⤵
  PID:1276
- C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  PID:4512

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\Build.bat
1⤵
PID:2592

C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe"
1⤵
PID:4244

C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe"
1⤵
PID:4588

C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\keygen.exe"
1⤵
PID:2612

C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe
"C:\Users\Admin\Downloads\Lockbit 3 Builder\LBLeak\builder.exe"
1⤵
PID:64

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\LockBit-Black-Builder-main\Screenshot_20220921-210605_Samsung Internet.jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5064

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4060

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\keygen.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\keygen.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4760

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe"
1⤵
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build.bat" "
1⤵
PID:4784
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\keygen.exe
  keygen -path C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build -pubkey pub.key -privkey priv.key
  2⤵
  PID:5004
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type dec -privkey C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\priv.key -config config.json -ofile C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:548
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4908
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4512

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5948

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3Decryptor.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5452

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5352
- C:\ProgramData\E77D.tmp
  "C:\ProgramData\E77D.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E77D.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe"
1⤵
PID:5992

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe"
1⤵
PID:4048

C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
"C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\builder.exe"
1⤵
PID:6052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2580446533-3148764140-1073334258-1000\CCCCCCCCCCC

Filesize
129B

MD5
2e13df66a69ff61b85d2b1de46886e92

SHA1
55be02c3cc6eef41bd8638b057ccf58d50ac2d54

SHA256
3ea7250488baf2adc985da794faa3fab0a52e3f8014d45b4669c3356b1cdf019

SHA512
015059799837b532da6af58fedf1c0dfd25cceb6ac22f70b673494a3638d4cb4edff02a0b5240a22581af8762d90049f245782f69fd882f6d7833f79e0b01eeb

Download Submit
C:\ProgramData\E77D.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\iLmPiOLzG.ico

Filesize
14KB

MD5
88d9337c4c9cfe2d9aff8a2c718ec76b

SHA1
ce9f87183a1148816a1f777ba60a08ef5ca0d203

SHA256
95e059ef72686460884b9aea5c292c22917f75d56fe737d43be440f82034f438

SHA512
abafea8ca4e85f47befb5aa3efee9eee699ea87786faff39ee712ae498438d19a06bb31289643b620cb8203555ea4e2b546ef2f10d3f0087733bc0ceaccbeafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425248739d77afa964e1a893d2ea5a94

SHA1
ae91c41cde6ffe01839ae7e61b193c241d18a513

SHA256
816b3a135562fe43c926caa3e9f2b6271ec5fd7e44d6a05dbc6d7cf9504aa254

SHA512
c4dde9efb7f500f7216d83e9327b03a1905568da3a7346668100792d4309fce8ac2ef1fe6124ae06a4686762b4b41d5ab7a64343c446b60c301c8283d9547c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
517fc990e968dbed87152db50faab786

SHA1
8cdb5afc72f0d90d27f51fc64fa8b8e09e74fa07

SHA256
157e2597707e594bb8590aefd24c1b240c80fe4b415b545c86d9808e4301bb3f

SHA512
fcaa548e801d7ace3fc9e7aad825fb0f5138de91240e471204265cdcf9c543f528fdd4307a471583c5e1223ad4ec7e17025da4164b8f5977530977753bc2f278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21cb66532a7a5fa3806a35b33ab77a67

SHA1
1e367a3d17ae505acce8a27f8a3922ee65c4c845

SHA256
8fe7cac4d165bbd39925c36aa2c9b3b596d01d6813f0e507b3a0c9f7342fb3c0

SHA512
d9ed350a4d0c142ac8a8e76c7da023c03c4ab26e84e2f72583249be399a8f166380aefed750e4cfe3b76f0bc6959800bfd4e681692fe03f5531114789e15bf2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28856de9020210c9d7e00c8f1ba8aa07

SHA1
c66a59ff294f40e4da571aa7803765eaf15dd89d

SHA256
5e5e69aaf00a0d776c719fc9d17f1e308ea863599d0e477f820802b7ab64dfbb

SHA512
c873eea25beb0c8fe1007b952671097061cff311b034d5682204be5a7bb5ca37eda183f9c336bcd0d6da6cd0dc610bcb0227f3d8db30e2d1f7d93d6a905cf507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
dcb3a22320d5a33a1efa1b4847ea4bcb

SHA1
a593fdbecd26610c1891961c378941baf8560398

SHA256
33e7feba556087bb8a0abd289b518350b77d05b7a551700fad1955048e59ef85

SHA512
0ebb797fc67e557d0960f80e5c039efc238cb64edc3a7fccc39eb2142ada726ed91498e83abb725017953c3c900943364793c8e6f952a7c2784e27748d83d2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b71905e46e4cc7da463c1b5a549f466

SHA1
db00bb5eb2613a415e3070cb64a8fb493eda56ed

SHA256
38c1e674681ecc02d3e2befa9b244c63d233bae77c73a36c227ba436cc24ea2f

SHA512
367288e206cee31345baf66cdedb45ffe1152320ed66530fa7d6a306492612f741b96ddc72fa4111092a2ee79d5548db05fa4e11bb7247784091db1af0ac2c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d13ddb15de1860e6a04ba32289bfe9ed

SHA1
fb6da54869213bf2232ec26d4b9b1e5d3efc2b5d

SHA256
635b97e895e2c1125ec35495554d67a80eb50104c1fb0f543c5b85371dbbab61

SHA512
c8c4299a9eaa2d0c36c22fb2b99e3ed0a18b17cbcc51b617e4195b1ef34f86196e489ad7bd0d6a456407a2071165a46b87e39ef07056fdc63f7eb0c8f095dd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bb22.TMP

Filesize
1KB

MD5
7df9d0b10033dc081b0ef3dd6243b9ee

SHA1
2676fea128f54f0ce4367d0d98fa3536c6bcc647

SHA256
58115a28dcd81bd265728f6c76ea29c8bd012ce2501d5d055cc108cf831624b7

SHA512
59cd96b9a1adc978c9201eee2b2ab865fa155c94aa81e4ee59b56433310e86096103168d4cfa1431889f5692a0c3370138012982c2c76ec390de4fdcd61bd745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1720bdf2d72a0e59c9c691f3f6ad6dfd

SHA1
558f45a97f86070271dc09f34a1d5b3b6eba1c0e

SHA256
e79cf19b462123bd272086352517a9c0f507cc3c27f3e3e611eb084569e2c397

SHA512
476a0cf6ab6e709db6f6506c02fff2a94c794aa5d2123869ee0154008567265d55fc65766accdfc6b267c506d23e870ce8bdf34904931828de4173322a82a5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da07739ac38ac54c71f187d55db93921

SHA1
9b4a3a411d34fee86934d151e4063409b6883aa0

SHA256
14f378da6005d40aa6bf2df502cca79faffafb1e78ec266c38759fb3a0213142

SHA512
d6c085d9f557e949874869fdf3a6c859f7446f80f7e376e095b202a9042ef53f6c60fec6899dde1fe217de41185bd5caa330a93156e80c867c61f6a6a9ba9a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
279B

MD5
a704a1b1b313fa120be65a0d258492c8

SHA1
f974eb14e3459a6fcb9f949f327afc85dd099af6

SHA256
4cfca5cafc00b89c9cae1fa80c78fc352f38932e5d49690b125bb151a842d318

SHA512
9b400dfcf9b3f75d4565c9ce4e6384ffeb2ad88a60765e03bf4071c96c118ad98ac3363d849201cf91d1c04eb4de16c4e957b8515537435a96c8da514b5706f1

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main 2.zip

Filesize
2.6MB

MD5
a5fbe0c5d0b5abd4dd0cb3bf69f3be6b

SHA1
fcc36b7c657a9187572ad3f527992b33c560f2e3

SHA256
34ae59b7acc09c2e82625640cae82c5158b649db1418ddbaa24138b51f1722c5

SHA512
a10b15c4368bbb836643d534a2c732c794bdac1034ca7c088ebd7c5333969763eea5be30977e6dd6b039e051e4b36acfef6fbb5129009d5bfd1eb75d706c7cdb

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main 2.zip

Filesize
2.6MB

MD5
94e27559005aa80c7392192f3b56782b

SHA1
ba98f86f94f087e9cabfe7099285b3584216b873

SHA256
6ee3164d49df81aeb9727dfddeb7e086c8ee8be9cf21a365ef175e7522f3cff8

SHA512
e52b1711b906f2d092f249675288672b8119bea34834042f63af5a074cce66b51d4a73b83119721b175ab8ce30b02750327304935710349432ee4fa320c96104

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\DDDDDDD

Filesize
153KB

MD5
78d206babfc877fb817a9dede09e487a

SHA1
02ddd29a138715bd19f27d635df44c1d056f74ab

SHA256
21d823724270a4a9a57acfa839692f5844873cf310a2b5edb75edc50968b27b5

SHA512
5271e678610517e49134ad7e78d1e2e690d691a795d2200ac9ccc3005bf3a47da97868ab48f6bbf9a7f9086291ff33ae86a4e2551da8936e89fdd3f43f4aea4f

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
2b3fc9f795ff1f2cc28501e1f2185bb3

SHA1
a69863192205bff87c66187a82cbeb5924920711

SHA256
0ab2b2c3aeeb923710093c3038a911a451c46547260939db261e54c7644b4330

SHA512
6d40a8fd2a3ca3251be199365a9a5cc6adb29f6373729ed7c9e097e4aba7695473df2d90ba9dd239fa71530913973ac77abf7dd372aeff9de5e9108057806922

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe

Filesize
153KB

MD5
ad012545794f3f38a9bffed27f7ab788

SHA1
001012c6bfcffc25ee6332270b504c6be735fe28

SHA256
e54b4aec3ba52ba1583db2212b926525185881a40fd9e9e98d869a330faf458c

SHA512
4932161ec45f5da4ff7fc0a84a09e4e51d2c2eed78f27cd14b9b0f8758dad0c82cb01dea615a5c8b9eed71d7a8bb4a957b87482ff0964ce0ba15c020f8845cd9

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3Decryptor.exe

Filesize
54KB

MD5
14272c9026c652bedee1363c2e5ee888

SHA1
cddb3ea8fb415ccaaa6ab83b18a6bdeadbf13c39

SHA256
8bf3b5f07dfc3f6cb5418a07687d1f8921f17339c37daa699fa9f9c58261123c

SHA512
7b72057d9d13fb2bcada322636129eb66eec2bc2969033c1552edd0ba67be196f95a5bcdb741bb56e1695ab05910424bfe023ce14ddbefe424968318b7c9ee3f

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\Password_dll.txt

Filesize
2KB

MD5
3056f64e4d29943a2f454e746620fe27

SHA1
1376cce239d5c992828f9df7320b83d10a2e680c

SHA256
41f5caf56ff8597ae20d50a8a9147a38ccab0814611b2dc39e30a64aef1573e6

SHA512
3a9c5e8dd1f9bdb25628e96401c07f9a7e3ea262668c83e07a6ed3009e620b9a2c71c027df9ddeaec55421ab2dbe882bacefa05c42980044eb2d778337b6d887

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\Password_exe.txt

Filesize
2KB

MD5
8d39bda1ab7e0086c698837f586a9ad9

SHA1
778508f88ddf9396a7637ab1262f777d8466319d

SHA256
462230beac9c683b0f8a24c52959ba1fb4f4c4ff8f956ccde0ac7b5d681e1151

SHA512
380dbe6bd3e227bbf3897e0201e5e7fae667aa4dfa5b835c3a677a1fe971742cefd181cfebd64a64527c3e08e331f9ef9488151c9637e13843249559a48c9d28

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\priv.key

Filesize
344B

MD5
ef2f7ea71fd088cd5e90395a7ba5bf5d

SHA1
ea048abddc6b67c5cb4740ccee3cb96f89390b33

SHA256
788276ee61d8e5671e9df9c7f04a6be4cab8c0553da353fc5fd74dfffce78eb3

SHA512
637939450ca21a4eb05cc49ea04b9d14f54f9edbb1b293f988af1fee75926a00f8c1a3aad0b751db6bdc245a5a1860a5c95be270b9dd762dacc6c24d526745d4

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key

Filesize
344B

MD5
221c100a2bb1ca94ad73e6e22e5ecb56

SHA1
f03f75e9ed28e248792736a030d5af2deec7f6b9

SHA256
abfa73eac9a3b884fd931bb3faa6fb713092187e1309174ba28247f566b8d912

SHA512
121bac5212fe2ea8e34f7a211fe1ba617417221b12c025aa0c333d5b986037ddc81ca864b95f46e1419e72a7f0d1a32e25730a34306baf3b89c1d74a7df4bc9d

Download Submit
C:\Users\Admin\Downloads\Lockbit 3 Builder.zip

Filesize
293KB

MD5
d72c6cfdf3ba0bab4823e43e150f6678

SHA1
36b0519d51028d0a581d06fc350f80a79f586404

SHA256
75ce28f4d233ea20ca54ff3f88729cb17640520694fcf8e60c6c481cd1fd25b4

SHA512
c05c80d93fe7abe5995a017587ffcfa77aa9d15cc5c107e5dce333890238f6594e7b8cf1be2d693b8370e54fb30e15d978499dd9458d222dce21966d15079e51

Download Submit
C:\Users\Admin\Downloads\Lockbit 3 Builder.zip

Filesize
293KB

MD5
1fd212323d84fea1b4f2e175e3f9d907

SHA1
eaa0d0530a4085ea401f73de6ccaa8834cf2ed00

SHA256
41d970efd5b6f9221809ce4dd0e776057dd5c304f814b8dd0a0ecc789e1dedf8

SHA512
5dd0dc15229afb96b7905783550b23db1257ca527333e5b2c1df01523a93adbb0b12a25daea565f1bce552f47c0e2070b4dfbf9803be1ec0348c648da631afc2

Download Submit
C:\iLmPiOLzG.README.txt

Filesize
6KB

MD5
848f8fe6ee912fe8a996f6508af1a7e7

SHA1
cad6008f2c68c3c67f0aaa3bd804b071b8ccdb8d

SHA256
6e1cd2ccedd6d944d573c7fe5074061389c490ac57bfc547b5be1666ae391535

SHA512
156692f9ac2de4c3120cfc4250ad8d818e81091debee73e32129223764f0e721ba664649fc3c226d66f1ea818cf845f336e859b3ee13f267d677525b80118ebb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2580446533-3148764140-1073334258-1000\HHHHHHHHHHH

Filesize
129B

MD5
535d8e38467b20768f20ce20b8703d02

SHA1
bb55826da45a048c894a2906ebbe99aea643a67f

SHA256
7e1e0b89a88c68a75bda522b746354c373456fd64dfa77f9f6a919c7b9066afa

SHA512
b98ac0f3156ae0a0650b30d717d3048bb768508909fa5baec0bf704b24ecae517769d14cbee0c401911dd5ebc798d2b7d56c50bb4e9855a9aba78530785f434a

Download Submit