File name:	LockBit.zip
Full analysis:	https://app.any.run/tasks/4b2cc7b2-106c-479d-859b-3a8afc3ce6f6
Verdict:	Malicious activity
Threats:	LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	April 09, 2024, 04:33:52
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	ransomware lockbit
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	87739F580B661ADE6070F82DA99A8DF8
SHA1:	CF824C94022C38B7905CDFCBBCA92DA61EFE4899
SHA256:	F2301A1B3D390E3709AC6B19D0C00EFE2829110AD22641A00B1D94C586203F27
SSDEEP:	3072:pfY8SsjgU0E+VRzICygikLVSnAUvMohBMQ47cqiYf5wHH:5Y8NjF+/IzgikLVO1NbMHcuf5W

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:04:08 13:34:56
ZipCRC:	0x9b0f71d4
ZipCompressedSize:	95256
ZipUncompressedSize:	149504
ZipFileName:	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe


(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B050005B00125378ADA01
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\LockBit.zip
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(5068) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1D01000098000000DD0400007B020000

PID	Process	Filename		Type
5068	WinRAR.exe	C:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DAT		binary
		MD5:—	SHA256:—
5068	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb5068.23488\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe		executable
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\ProgramData\AFfGduKAp.ico		image
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\AFfGduKAp.README.txt		text
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\$Recycle.Bin\S-1-5-18\desktop.ini		—
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\$Recycle.Bin\S-1-5-18\AAAAAAAAAAA		—
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\DumpStack.log.AFfGduKAp		binary
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\$Recycle.Bin\S-1-5-18\BBBBBBBBBBB		—
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\$Recycle.Bin\S-1-5-18\CCCCCCCCCCC		—
		MD5:—	SHA256:—
6092	0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe	C:\Users\AFfGduKAp.README.txt		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1412	svchost.exe	GET	200	2.16.164.42:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	unknown
3752	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b1d3162992d7bb9c	unknown	—	—	unknown
3752	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
1412	svchost.exe	2.16.164.99:80	—	Akamai International B.V.	NL	unknown
5944	svchost.exe	2.19.244.127:443	—	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4588	svchost.exe	239.255.255.250:1900	—	—	—	unknown
1412	svchost.exe	2.16.164.42:80	—	Akamai International B.V.	NL	unknown
3752	svchost.exe	20.190.159.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3752	svchost.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	unknown
3752	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5948	taskhostw.exe	20.82.217.86:443	cs.dds.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
login.live.com	20.190.159.71 40.126.31.73 20.190.159.0 40.126.31.67 20.190.159.64 20.190.159.4 20.190.159.68 20.190.159.73	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
v20.events.data.microsoft.com	52.182.143.215	whitelisted
cs.dds.microsoft.com	20.82.217.86	whitelisted
v10.events.data.microsoft.com	52.182.143.215	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
edgeassetservice.azureedge.net	13.107.246.45 13.107.213.45	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
dns.msftncsi.com	131.107.255.255 fd3e:4f5a:5b81::1	shared

General Info

LockBit.zip

87739F580B661ADE6070F82DA99A8DF8

CF824C94022C38B7905CDFCBBCA92DA61EFE4899

F2301A1B3D390E3709AC6B19D0C00EFE2829110AD22641A00B1D94C586203F27

3072:pfY8SsjgU0E+VRzICygikLVSnAUvMohBMQ47cqiYf5wHH:5Y8NjF+/IzgikLVO1NbMHcuf5W

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Known privilege escalation attack

Drops the executable file immediately after the start

Steals credentials from Web Browsers

[YARA] LockBit is detected

Actions looks like stealing of personal data

Renames files like ransomware

SUSPICIOUS

Creates files like ransomware instruction

Non-standard symbols in registry

Reads security settings of Internet Explorer

Reads the Internet Settings

Changes the desktop background image

Starts application with an unusual extension

Executable content was dropped or overwritten

Reads the date of Windows installation

Hides command output

Starts CMD.EXE for commands execution

Creates file in the systems drive root

Write to the desktop.ini file (may be used to cloak folders)

INFO

Manual execution by a user

Executable content was dropped or overwritten

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Create files in a temporary directory

Dropped object may contain TOR URL's

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats