Analysis Overview
SHA256
6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
Threat Level: Known bad
The file 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Braincipher family
Brain Cipher
Lockbit family
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Indicator Removal: File Deletion
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-21 06:50
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-21 06:50
Reported
2025-04-21 06:53
Platform
win10v2004-20250410-en
Max time kernel
103s
Max time network
139s
Command Line
Signatures
Brain Cipher
Braincipher family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\ProgramData\A4AC.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2645532622-3298555945-705856666-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2645532622-3298555945-705856666-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\A4AC.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
| N/A | N/A | C:\ProgramData\A4AC.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5124 wrote to memory of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A4AC.tmp |
| PID 5124 wrote to memory of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A4AC.tmp |
| PID 5124 wrote to memory of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A4AC.tmp |
| PID 5124 wrote to memory of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\A4AC.tmp |
| PID 3284 wrote to memory of 4160 | N/A | C:\ProgramData\A4AC.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 3284 wrote to memory of 4160 | N/A | C:\ProgramData\A4AC.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 3284 wrote to memory of 4160 | N/A | C:\ProgramData\A4AC.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
C:\ProgramData\A4AC.tmp
"C:\ProgramData\A4AC.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A4AC.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
Files
memory/5124-0-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/5124-2-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/5124-1-0x0000000002AF0000-0x0000000002B00000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2645532622-3298555945-705856666-1000\WWWWWWWWWWW
| MD5 | 6f73ac7100e6aedaede583949f93266f |
| SHA1 | 0a56410fda66e8226359ec7b8eede029e53547a3 |
| SHA256 | a093e168eb34a4ccbdfa452c0b0b4dfd484447845aef68b6a97e378f12e20b0d |
| SHA512 | 5698f2301a4032a1b78fc9e30ae5a2edcc80bb93430e52403aa8e7166006fcd4dcded46730ebac465034c7f77fd32bbc2db3fe122834b65bdb5c6cb7d58546d5 |
F:\$RECYCLE.BIN\S-1-5-21-2645532622-3298555945-705856666-1000\DDDDDDDDDDD
| MD5 | 2214c55ead3fb39f0c6685ca69e8fe6e |
| SHA1 | ce0b8439e653dd31557238a980a5e93bf156e389 |
| SHA256 | 95cf3bd02307b94af7eb13bf0b1b54d8dce26956ab12d6b7bb1c224b63c50cf9 |
| SHA512 | 9c70eb746732fe27a4282f431071fe37fdf1e6cb5650ffb5144e072d482b736d1983cd86ff70c8dca82aab512b631b36d960cf453c88e3b413d9569ad694761d |
C:\flzQgniJJ.README.txt
| MD5 | 3bebb5494e1c3d4753ce92a479e7eda5 |
| SHA1 | 243685d0515d19210e4e2f354d367be6212e98ff |
| SHA256 | 13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd |
| SHA512 | 0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da |
C:\ProgramData\A4AC.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/5124-3542-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/5124-3544-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/5124-3543-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/3284-3549-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
memory/3284-3548-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/3284-3547-0x0000000000420000-0x0000000000430000-memory.dmp
memory/3284-3546-0x0000000000420000-0x0000000000430000-memory.dmp
memory/3284-3545-0x000000007FE40000-0x000000007FE41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 51d04cad2d4d2342c609be20bfaf3d01 |
| SHA1 | d85e22dec1bd5e9a6c09562f4ed889680945fd18 |
| SHA256 | dd160351a0cccbbb42c006af3e5626982092e36728aadac10425e8d9dec91ca0 |
| SHA512 | c81913a216711c962e44b25daee81b00cc1421c69d3011d61e3b8c683fd610c30cd60071dfc63cb481e7d1f9559dce244268d4fe90e71277f048ecb1676cd769 |
memory/3284-3578-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
memory/3284-3579-0x000000007FE00000-0x000000007FE01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-21 06:50
Reported
2025-04-21 06:53
Platform
win11-20250411-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
Brain Cipher
Braincipher family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2316063146-1984817004-4437738-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2316063146-1984817004-4437738-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\660D.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
| N/A | N/A | C:\ProgramData\660D.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5840 wrote to memory of 5820 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\660D.tmp |
| PID 5840 wrote to memory of 5820 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\660D.tmp |
| PID 5840 wrote to memory of 5820 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\660D.tmp |
| PID 5840 wrote to memory of 5820 | N/A | C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe | C:\ProgramData\660D.tmp |
| PID 5820 wrote to memory of 1304 | N/A | C:\ProgramData\660D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 5820 wrote to memory of 1304 | N/A | C:\ProgramData\660D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 5820 wrote to memory of 1304 | N/A | C:\ProgramData\660D.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
C:\ProgramData\660D.tmp
"C:\ProgramData\660D.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\660D.tmp >> NUL
Network
Files
memory/5840-0-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/5840-2-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/5840-1-0x00000000026F0000-0x0000000002700000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2316063146-1984817004-4437738-1000\AAAAAAAAAAA
| MD5 | a715562a38dee8df4f8b2599c2819efe |
| SHA1 | 61eea53163f418186ec5dbdcc78af15e2f8a8c9c |
| SHA256 | a1a87845db0e8a9d6a870c8d28694162288f129e75676c479a69e3e0307f1399 |
| SHA512 | 0fb6580412f32fb9a4b4d5cf4ffb5a827dff4e209ce481dfd03be386ba6fcadd942fa254b0ae341dfbc535e4815dc1288d15c9a5c5c8353bca87ae9d37c0afb2 |
C:\flzQgniJJ.README.txt
| MD5 | 3bebb5494e1c3d4753ce92a479e7eda5 |
| SHA1 | 243685d0515d19210e4e2f354d367be6212e98ff |
| SHA256 | 13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd |
| SHA512 | 0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da |
F:\$RECYCLE.BIN\S-1-5-21-2316063146-1984817004-4437738-1000\DDDDDDDDDDD
| MD5 | b4a66b3c8ae289072d16a9fde5e67cb5 |
| SHA1 | df78faf6f7199e9bea67c74a8682216c224151f0 |
| SHA256 | 8fc28807478b169a16eb650006fb8e21f455712b35835e00f9a6fd36a17aecba |
| SHA512 | ce1a2cfc01bd090f0d678b490ac4b222331bacb20d104ada201fdfbebaaee5344a583b9eb266b8001ff6fbd1e82c26f7393d0a9f086164d15daccaefaf24b482 |
memory/5840-3506-0x00000000026F0000-0x0000000002700000-memory.dmp
C:\ProgramData\660D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/5840-3517-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/5820-3516-0x000000007FDF0000-0x000000007FDF1000-memory.dmp
memory/5820-3515-0x000000007FE50000-0x000000007FE51000-memory.dmp
memory/5820-3514-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/5820-3513-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/5820-3512-0x000000007FE70000-0x000000007FE71000-memory.dmp
memory/5840-3511-0x00000000026F0000-0x0000000002700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 3b28447509f590d99302a9f13b2e5765 |
| SHA1 | 0986f0ff6b7a538c59e06041642b992fc241bc19 |
| SHA256 | de6a7d5b85dc997c15dc8f2f410f1d1841b428ea9a9e580b36d9cefde206651e |
| SHA512 | 28016eb52252ddd2d78f8b5cee982206d7c96d5b12eb365757db35f6fc52c522a8268967bd8897f72c42a71bd0242c27814190085640ba23cee212db0576ba2d |
memory/5820-3547-0x000000007FE30000-0x000000007FE31000-memory.dmp
memory/5820-3546-0x000000007FE10000-0x000000007FE11000-memory.dmp