File name:	Lockbit 3 Builder.7z
Full analysis:	https://app.any.run/tasks/2cb2f236-f62f-48ac-b931-2c8c649bc9fc
Verdict:	Malicious activity
Threats:	LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	June 13, 2024, 17:05:54
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	ransomware lockbit
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	C9C2F3805F0012628E9D62E8F75AF4DD
SHA1:	B6269B1FC8813B93C11EC6066DC33D9F99F2E431
SHA256:	B2C3BEDA4B000A3D9AF0A457D6D942EC81696F3ED485F7CF723B18008A5F3D10
SSDEEP:	3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)


(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500667295FAB3BDDA01
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\AppData\Local\Temp
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_0
Value: 4C000000730100000402000000000000F0F0F00000000000000000000000000000000000000000004A00070000000000000000003B000000B402000000000000000000000000000001000000

PID	Process	Filename		Type
2412	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\config.json		binary
		MD5:A6BA7B662DE10B45EBE5B6B7EDAA62A9	SHA256:3F7518D88AEFD4B1E0A1D6F9748F9A9960C1271D679600E34F5065D8DF8C9DC8
1480	keygen.exe	C:\Users\admin\Desktop\LBLeak\Build\priv.key		text
		MD5:C761C79FDA5DCAA5741E4BDCD1D9DD02	SHA256:400465E7749916C8960D109D6B2D59C4679FC64F65C48472F505200E821D8050
3956	builder.exe	C:\Users\admin\Desktop\LBLeak\Build\Password_exe.txt		text
		MD5:C34633DF02F4386C649C010E06AE7A2D	SHA256:1AC3C68F54DC11D51BA6E151BB03EF0A3F52BFFBDA61128C36FFD4E41612793D
1576	builder.exe	C:\Users\admin\Desktop\LBLeak\Build\LB3Decryptor.exe		executable
		MD5:D5005BD4E6B86FA2AD67300A0C267A97	SHA256:D5658C10AF781E5697273BFD5F0CA2EEC8D7A5025DEC2F0FDB70B149D6F960B9
4476	builder.exe	C:\Users\admin\Desktop\LBLeak\Build\LB3_Rundll32.dll		executable
		MD5:A810E1D7B35925059FED291877DC166D	SHA256:7B8BB31F28FAD9CC9AC17602F152153E070F6F5915DAB0FC6054E5D85D9E0833
2908	WindowsTerminal.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRS43J02L2YM54RBTX0M.temp		binary
		MD5:01381A33F86649FB5AF55C60025E4507	SHA256:78A445DFB4CD9CD4E4852CDC733D55712F57EA072F842FA91361ED7B4A320B0C
5388	WinRAR.exe	C:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DAT		binary
		MD5:933712A1B50E5E1F1293CCD0B7C3CC47	SHA256:565AF8706A67FD7B6C84D0C41258906BC34E7E03979AE56F3B545FA7C5C59FA5
2412	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\builder.exe		executable
		MD5:8C689DC9E82C9356B990D2B67B4943E1	SHA256:E8E2DEB0A83AEBB1E2CC14846BC71715343372103F279D2D1622E383FB26D6EF
2412	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\Build.bat		text
		MD5:4E46E28B2E61643F6AF70A8B19E5CB1F	SHA256:8E83A1727696CED618289F79674B97305D88BEEEABF46BD25FC77AC53C1AE339
2908	WindowsTerminal.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16f2f0042ddbe0e8.customDestinations-ms~RF128313.TMP		binary
		MD5:35F7CB74FE5446764D34580D180505B6	SHA256:40526E2FC7874D00C634694249F85AB7E92A7F019FC97A950C1B452DD8195EA6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
2828	svchost.exe	GET	200	95.101.63.72:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3a3082f95a18b6d2	unknown	—	—	unknown
2828	svchost.exe	GET	200	95.101.63.72:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?17b2b73c54e86f00	unknown	—	—	unknown
3444	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	23.53.113.159:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5880	svchost.exe	23.53.114.19:443	fs.microsoft.com	AKAMAI-AS	US	unknown
—	—	23.53.113.159:80	go.microsoft.com	AKAMAI-AS	US	unknown
4552	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2868	OfficeClickToRun.exe	20.189.173.26:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2868	OfficeClickToRun.exe	192.229.221.95:80	—	EDGECAST	US	whitelisted
2828	svchost.exe	95.101.63.72:80	ctldl.windowsupdate.com	Akamai International B.V.	GB	unknown
2844	svchost.exe	52.182.143.213:443	v20.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2844	svchost.exe	13.89.179.11:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1216	ONENOTE.EXE	52.109.32.97:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown

Domain	IP	Reputation
fs.microsoft.com	23.53.114.19	whitelisted
go.microsoft.com	23.53.113.159	whitelisted
self.events.data.microsoft.com	20.189.173.26 20.189.173.9	whitelisted
ctldl.windowsupdate.com	95.101.63.72 95.101.63.96 95.101.63.90	whitelisted
v20.events.data.microsoft.com	52.182.143.213	whitelisted
dns.msftncsi.com	131.107.255.255 fd3e:4f5a:5b81::1	shared
officeclient.microsoft.com	52.109.32.97	whitelisted
login.live.com	20.190.159.68 20.190.159.23 40.126.31.73 20.190.159.75 20.190.159.4 20.190.159.71 20.190.159.73 20.190.159.0 40.126.31.71 20.190.159.64 40.126.31.69 20.190.159.2	whitelisted
ecs.office.com	52.113.194.132	whitelisted

General Info

Lockbit 3 Builder.7z

C9C2F3805F0012628E9D62E8F75AF4DD

B6269B1FC8813B93C11EC6066DC33D9F99F2E431

B2C3BEDA4B000A3D9AF0A457D6D942EC81696F3ED485F7CF723B18008A5F3D10

3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Renames files like ransomware

[YARA] LockBit is detected

Known privilege escalation attack

Steals credentials from Web Browsers

Creates a writable file in the system directory

Actions looks like stealing of personal data

Scans artifacts that could help determine the target

SUSPICIOUS

Detected use of alternative data streams (AltDS)

Reads the date of Windows installation

Reads the Internet Settings

Executing commands from a ".bat" file

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

The process creates files with name similar to system file names

Creates files like ransomware instruction

Write to the desktop.ini file (may be used to cloak folders)

Changes the desktop background image

Starts application with an unusual extension

Hides command output

Reads settings of System Certificates

Checks Windows Trust Settings

Creates file in the systems drive root

INFO

Drops the executable file immediately after the start

Dropped object may contain TOR URL's

Reads the computer name

Executable content was dropped or overwritten

Checks supported languages

Manual execution by a user

Checks current location (POWERSHELL)

Uses string replace method (POWERSHELL)

Gets data length (POWERSHELL)

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Creates files in the program directory

Create files in a temporary directory

Reads Microsoft Office registry keys

Reads product name

Checks proxy server information

Reads the software policy settings

Reads CPU info

Reads Environment values

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information