34ae59b7acc09c2e82625640cae82c5158b649db1418ddbaa24138b51f1722c5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-Black-Builder-main/LockBit3Builder/Build.bat
Size

733B
MD5

1905cc9973206fea5050b737f9303fb4
SHA1

497524177d9478a4b5dca3e73cc230be6abf4ce0
SHA256

e2f5b93040d57de6251d16256bcd04aa8eb337bde87308e602f01070efd345fb
SHA512

95bae9406d01083f6fe6916ecf8e889afe20ff5863070f1787dc7a60d2d1d5af2cf3fd481a3c4fb531f16dd2cb7a685002aaac1dc907cf189c19c60f2816dd76

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
2328	keygen.exe
1812	builder.exe
2084	builder.exe
1616	builder.exe
2484	builder.exe
2296	builder.exe
2536	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2328	2008	cmd.exe	31
PID 2008 wrote to memory of 2328	2008	cmd.exe	31
PID 2008 wrote to memory of 2328	2008	cmd.exe	31
PID 2008 wrote to memory of 2328	2008	cmd.exe	31
PID 2008 wrote to memory of 1812	2008	cmd.exe	32
PID 2008 wrote to memory of 1812	2008	cmd.exe	32
PID 2008 wrote to memory of 1812	2008	cmd.exe	32
PID 2008 wrote to memory of 1812	2008	cmd.exe	32
PID 2008 wrote to memory of 2084	2008	cmd.exe	33
PID 2008 wrote to memory of 2084	2008	cmd.exe	33
PID 2008 wrote to memory of 2084	2008	cmd.exe	33
PID 2008 wrote to memory of 2084	2008	cmd.exe	33
PID 2008 wrote to memory of 1616	2008	cmd.exe	34
PID 2008 wrote to memory of 1616	2008	cmd.exe	34
PID 2008 wrote to memory of 1616	2008	cmd.exe	34
PID 2008 wrote to memory of 1616	2008	cmd.exe	34
PID 2008 wrote to memory of 2484	2008	cmd.exe	35
PID 2008 wrote to memory of 2484	2008	cmd.exe	35
PID 2008 wrote to memory of 2484	2008	cmd.exe	35
PID 2008 wrote to memory of 2484	2008	cmd.exe	35
PID 2008 wrote to memory of 2296	2008	cmd.exe	36
PID 2008 wrote to memory of 2296	2008	cmd.exe	36
PID 2008 wrote to memory of 2296	2008	cmd.exe	36
PID 2008 wrote to memory of 2296	2008	cmd.exe	36
PID 2008 wrote to memory of 2536	2008	cmd.exe	37
PID 2008 wrote to memory of 2536	2008	cmd.exe	37
PID 2008 wrote to memory of 2536	2008	cmd.exe	37
PID 2008 wrote to memory of 2536	2008	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\priv.key

Filesize
344B

MD5
325f99b1271f73e9688b6ce9613cac84

SHA1
6bac792e9a4a852e1b8bd85fccd06d9564f93442

SHA256
2fb37240a8b9d189c5b493452108037f2f438afc4782dd763cf006f08efa3800

SHA512
6ca7f922af4a9e41200d73b1478981f7508f02dfbd93553a2d3a4614eb30698010ede89752d44f9ef1a726b3d4a44f9cf87fe2664b688af9f114b0103cfeda0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit3Builder\Build\pub.key

Filesize
344B

MD5
6c091e4fa0bfc4f0b61a8ce9736b5fd0

SHA1
352af020ed6b47637c2dc2844c372d94d6248c0b

SHA256
7bc3bd69c1a0efa23568987683480327b9699d9044cb69f50eb2ceb06c9798f2

SHA512
c80b231d837f574c9a05ffb69083fdd364e54c0611fe22efe692b4d5370d48762309bfe3688cede395b9d4b90914834fbeb198d66065c28e0fee75d7cf20b2f5

Download Submit