Analysis Overview
SHA256
6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
Threat Level: Known bad
The file 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Brain Cipher
Lockbit family
Braincipher family
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-21 06:46
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-21 06:46
Reported
2025-04-21 06:48
Platform
win10v2004-20250410-en
Max time kernel
103s
Max time network
139s
Command Line
Signatures
Brain Cipher
Braincipher family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation | C:\ProgramData\A7D9.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3027557611-1484967174-339164627-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3027557611-1484967174-339164627-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\A7D9.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
| N/A | N/A | C:\ProgramData\A7D9.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 512 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A7D9.tmp |
| PID 512 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A7D9.tmp |
| PID 512 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A7D9.tmp |
| PID 512 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A7D9.tmp |
| PID 2244 wrote to memory of 4496 | N/A | C:\ProgramData\A7D9.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 2244 wrote to memory of 4496 | N/A | C:\ProgramData\A7D9.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 2244 wrote to memory of 4496 | N/A | C:\ProgramData\A7D9.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
C:\ProgramData\A7D9.tmp
"C:\ProgramData\A7D9.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A7D9.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
Files
memory/512-0-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/512-2-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/512-1-0x0000000002A00000-0x0000000002A10000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3027557611-1484967174-339164627-1000\desktop.ini
| MD5 | 69ffd7c33f4691a203147e1e1942db75 |
| SHA1 | ab648aae0d9fd907176a12132509574d075ddb7b |
| SHA256 | 5183109229c57ae9fb1f14932dad1acde6369ea2173dcec8ce98604d14aedb4d |
| SHA512 | b8c42858a92b111696648a9cb143a0991c0dc384c43e0b73cfdc980bde1559cbeed017b054b7a9e1d150d7f463a94ef70c3627d16fb2f131217106038617222a |
F:\$RECYCLE.BIN\S-1-5-21-3027557611-1484967174-339164627-1000\DDDDDDDDDDD
| MD5 | 0649dd56de9b6f9caadc2fbf70755cb6 |
| SHA1 | 03ce1503cd3ec9d782ceecc5fbc82cf110941b35 |
| SHA256 | 6cabdbe194a76c7cd4ca6ad1516d577de55bfc276364fe1b19a2927ed12a1baa |
| SHA512 | a9227c6930e51bce4b29908421d35b087a6b539e14491ee431eecf60c50c102541152bddbfc4d02f25174ea66c0f3aa9715d1e73616e02df59d95be23cd1a07f |
C:\flzQgniJJ.README.txt
| MD5 | 3bebb5494e1c3d4753ce92a479e7eda5 |
| SHA1 | 243685d0515d19210e4e2f354d367be6212e98ff |
| SHA256 | 13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd |
| SHA512 | 0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da |
C:\ProgramData\A7D9.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/512-3634-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2244-3640-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
memory/2244-3639-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/2244-3638-0x00000000024B0000-0x00000000024C0000-memory.dmp
memory/2244-3637-0x000000007FE40000-0x000000007FE41000-memory.dmp
memory/512-3635-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/512-3636-0x0000000002A00000-0x0000000002A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | e970c5f8e377591b1ec6ceda97897bc9 |
| SHA1 | caac1fa8e92b1582b24df6a846c5482cd55c6791 |
| SHA256 | 74bb9761b0637294f6facc1d9103640b96d22ff3cf115957579a1233ea309a37 |
| SHA512 | 3006f1ec88fec832de87992a12717ac358e78aaef368bca46fbe42fbdfe1c5d45ab3d2aede25944a361a13afc23e4557093bd736be11bc30a1efe31f6effac36 |
memory/2244-3669-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
memory/2244-3670-0x000000007FE00000-0x000000007FE01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-21 06:46
Reported
2025-04-21 06:48
Platform
win11-20250410-en
Max time kernel
103s
Max time network
104s
Command Line
Signatures
Brain Cipher
Braincipher family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4239789418-2672923313-1754393631-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-4239789418-2672923313-1754393631-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\AE51.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
| N/A | N/A | C:\ProgramData\AE51.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5440 wrote to memory of 5468 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\AE51.tmp |
| PID 5440 wrote to memory of 5468 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\AE51.tmp |
| PID 5440 wrote to memory of 5468 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\AE51.tmp |
| PID 5440 wrote to memory of 5468 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\AE51.tmp |
| PID 5468 wrote to memory of 2904 | N/A | C:\ProgramData\AE51.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 5468 wrote to memory of 2904 | N/A | C:\ProgramData\AE51.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 5468 wrote to memory of 2904 | N/A | C:\ProgramData\AE51.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
C:\ProgramData\AE51.tmp
"C:\ProgramData\AE51.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AE51.tmp >> NUL
Network
Files
memory/5440-0-0x0000000002DA0000-0x0000000002DB0000-memory.dmp
memory/5440-1-0x0000000002DA0000-0x0000000002DB0000-memory.dmp
memory/5440-2-0x0000000002DA0000-0x0000000002DB0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4239789418-2672923313-1754393631-1000\CCCCCCCCCCC
| MD5 | 792ce97c733d78700ee4108087060fef |
| SHA1 | e18208b0dc3cca5bb8a8e5e719dd0970f3a2a80f |
| SHA256 | 2f3179c017c3c193f3d3fdb8ffbe9034425e3a4be296c9e77dc4f525fc2d0967 |
| SHA512 | 962ff754e81aea50c418964b8f3a00edee11e6ba7fb68f62e4421351f81a557c453b719a1c136cbb94b991259f470c07eb6730248c7181fc178e3e787ce00466 |
F:\$RECYCLE.BIN\S-1-5-21-4239789418-2672923313-1754393631-1000\DDDDDDDDDDD
| MD5 | 42546b38b5aabeb1cbd129cb0debb898 |
| SHA1 | 4d6292dd749423691d4c7841ee49fd4d830d9498 |
| SHA256 | 2b329685ce86afacd031ae11e37b9ddca638d7a271f3f6485d4d9a45f5336ac8 |
| SHA512 | 97fb33fbcd026bfeefad444db7e4f5ef85aedee83f9889390262b7f065b31cb71558f94a2850cea7c118f7aeb8a19240f17bd51dacd6b6b6851e174aa1031bd4 |
C:\flzQgniJJ.README.txt
| MD5 | 3bebb5494e1c3d4753ce92a479e7eda5 |
| SHA1 | 243685d0515d19210e4e2f354d367be6212e98ff |
| SHA256 | 13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd |
| SHA512 | 0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da |
C:\ProgramData\AE51.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/5468-3571-0x000000007FDF0000-0x000000007FDF1000-memory.dmp
memory/5468-3570-0x000000007FE50000-0x000000007FE51000-memory.dmp
memory/5468-3569-0x0000000002680000-0x0000000002690000-memory.dmp
memory/5468-3568-0x0000000002680000-0x0000000002690000-memory.dmp
memory/5468-3567-0x000000007FE70000-0x000000007FE71000-memory.dmp
memory/5440-3566-0x0000000002DA0000-0x0000000002DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 09dbbdd8e109019972ca73e323fb06eb |
| SHA1 | 642884fa2e69a3207d117bef7dd8414c395c7267 |
| SHA256 | 3d12a0a8d03e2a3e6c0c15e2d681f6468ed732277d1bf7a6e73f5be96b970163 |
| SHA512 | 945f3a3dabb1e59a8034aabed03dff79bdaf32a40966b067fb50ebffa3afd774363eee188e6fc616b4eff512abd2f985f2054d717e483d54773a7ccb4d6af7dd |
memory/5468-3601-0x000000007FE30000-0x000000007FE31000-memory.dmp
memory/5468-3600-0x000000007FE10000-0x000000007FE11000-memory.dmp