Overview

overview

10

Static

static

10

LockBit-Bl...ld.bat

windows7-x64

3

LockBit-Bl...ld.bat

windows10-2004-x64

3

LockBit-Bl...B3.exe

windows7-x64

10

LockBit-Bl...B3.exe

windows10-2004-x64

10

LockBit-Bl...or.exe

windows7-x64

7

LockBit-Bl...or.exe

windows10-2004-x64

7

LockBit-Bl...in.dll

windows7-x64

10

LockBit-Bl...in.dll

windows10-2004-x64

7

LockBit-Bl...32.dll

windows7-x64

3

LockBit-Bl...32.dll

windows10-2004-x64

3

LockBit-Bl...ss.dll

windows7-x64

10

LockBit-Bl...ss.dll

windows10-2004-x64

10

LockBit-Bl...ss.exe

windows7-x64

10

LockBit-Bl...ss.exe

windows10-2004-x64

10

LockBit-Bl...er.exe

windows7-x64

1

LockBit-Bl...er.exe

windows10-2004-x64

3

LockBit-Bl...en.exe

windows7-x64

1

LockBit-Bl...en.exe

windows10-2004-x64

3

LockBit-Bl...ld.bat

windows7-x64

3

LockBit-Bl...ld.bat

windows10-2004-x64

3

LockBit-Bl...B3.exe

windows7-x64

10

LockBit-Bl...B3.exe

windows10-2004-x64

10

LockBit-Bl...or.exe

windows7-x64

7

LockBit-Bl...or.exe

windows10-2004-x64

7

LockBit-Bl...in.dll

windows7-x64

10

LockBit-Bl...in.dll

windows10-2004-x64

7

LockBit-Bl...32.dll

windows7-x64

3

LockBit-Bl...32.dll

windows10-2004-x64

3

LockBit-Bl...ss.dll

windows7-x64

10

LockBit-Bl...ss.dll

windows10-2004-x64

10

LockBit-Bl...ss.exe

windows7-x64

10

LockBit-Bl...ss.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LockBit-Black-Builder-main/LockBit30/Build/LB3_ReflectiveDll_DllMain.dll

  • Size

    106KB

  • MD5

    2ecc319574b76994e76c4f971c820362

  • SHA1

    8f3d04cab7c6be2220860ec391d75ba2f8f17b33

  • SHA256

    123797c18b044fb5aeba5dcccaf9ef1df0b7553413e9433876f1f94b8cd0584f

  • SHA512

    39c63668d424ff9efa625a82312edf5a30f7ca3edd896bd6ef1857ced02e5462cf191af54b6e55388b844fa5e50f77e3a6ce5b5983f61eb57a45c4b2fbb3567e

  • SSDEEP

    1536:LzICS4A30TY1kUS/U2ztdS1I6DdL9Ta16CX4VtgYfC3zHZbhuMGCS:0J0TYyUS/U2RgGWL9+joVtHfilfd

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\ProgramData\AC5D.tmp
        "C:\ProgramData\AC5D.tmp"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AC5D.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AC5D.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main\LockBit30\Build\BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    Filesize

    106KB

    MD5

    e1bc7dad609156e4000bf4de31fbc894

    SHA1

    8532048676eded8af9820d6cd39b12a1aed3b0c0

    SHA256

    fe45144aa1de61fcd9bfc2550ec029d29df83b9bd5b0423d4421df3244812b86

    SHA512

    0260e242acd915416bbff23b19c15d03717471129566764eac0c70405090a9fca980e664d670b567ac52f58ca778be3319e818e30058ba4af96fac78ad27966a

    Download Submit

  • memory/3508-45-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-11-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-15-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-44-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-14-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-13-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3508-12-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-4-0x0000000002D00000-0x0000000002D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-5-0x0000000002D00000-0x0000000002D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-0-0x00000000024A0000-0x00000000024B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-2-0x00000000024A0000-0x00000000024B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-1-0x00000000024A0000-0x00000000024B0000-memory.dmp

    Filesize

    64KB

    Download