34ae59b7acc09c2e82625640cae82c5158b649db1418ddbaa24138b51f1722c5

Analysis

max time kernel
104s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-Black-Builder-main/LockBit30/Build.bat
Size

733B
MD5

1905cc9973206fea5050b737f9303fb4
SHA1

497524177d9478a4b5dca3e73cc230be6abf4ce0
SHA256

e2f5b93040d57de6251d16256bcd04aa8eb337bde87308e602f01070efd345fb
SHA512

95bae9406d01083f6fe6916ecf8e889afe20ff5863070f1787dc7a60d2d1d5af2cf3fd481a3c4fb531f16dd2cb7a685002aaac1dc907cf189c19c60f2816dd76

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2100	1648	cmd.exe	87
PID 1648 wrote to memory of 2100	1648	cmd.exe	87
PID 1648 wrote to memory of 2100	1648	cmd.exe	87
PID 1648 wrote to memory of 1404	1648	cmd.exe	90
PID 1648 wrote to memory of 1404	1648	cmd.exe	90
PID 1648 wrote to memory of 1404	1648	cmd.exe	90
PID 1648 wrote to memory of 1904	1648	cmd.exe	91
PID 1648 wrote to memory of 1904	1648	cmd.exe	91
PID 1648 wrote to memory of 1904	1648	cmd.exe	91
PID 1648 wrote to memory of 1960	1648	cmd.exe	92
PID 1648 wrote to memory of 1960	1648	cmd.exe	92
PID 1648 wrote to memory of 1960	1648	cmd.exe	92
PID 1648 wrote to memory of 5136	1648	cmd.exe	93
PID 1648 wrote to memory of 5136	1648	cmd.exe	93
PID 1648 wrote to memory of 5136	1648	cmd.exe	93
PID 1648 wrote to memory of 1584	1648	cmd.exe	94
PID 1648 wrote to memory of 1584	1648	cmd.exe	94
PID 1648 wrote to memory of 1584	1648	cmd.exe	94
PID 1648 wrote to memory of 5016	1648	cmd.exe	95
PID 1648 wrote to memory of 5016	1648	cmd.exe	95
PID 1648 wrote to memory of 5016	1648	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5136
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\priv.key

Filesize
344B

MD5
ab35e7e4420fa8099379d71490e5edd6

SHA1
f1684b2989f8c3ec76c291542b29779370a67272

SHA256
a05f74baf1ceefce1223361f245a40d04dc559106385254ab6c0b1f288c6cf4b

SHA512
474981e1c70c6dc44de0fc723db75e6e07b346f098ea27ac212f299ba2a5ee8f1b24d935f9ec8dc9c02cd41a5225dac4507e41d162d6fc99f9d88b2385f975ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\pub.key

Filesize
344B

MD5
31dc6f5daba09d587d532bfb878ae19b

SHA1
0eabb24c13e974e883255f803fbfa7c14e9e7d04

SHA256
8ac141b7363023a90860120b8b9c0466e18917fdae9bfb90454d7838c5061432

SHA512
e7ad11c5e249187048c10f890daca5f22ba9c2a2d391fd3d95594002d7b5d98dbb6c971f084b7be46692d1cddae719b946d98406ea436adc4bfebb1c9ddd2006

Download Submit