The LockBit 3 Black Forensics Analysis Part II

October 24, 2023

Paulo Pereira, PhD

This article is the second part of a LockBit 3.0 Black (LB3B) investigation, describing the difficulties when performing a memory forensics analysis using the open-source tool Volatility 3. Similarly, we’ll be discussing new obfuscation techniques employed by attackers in malware development. LB3B is a ransomware with several features that still need further forensic analysis. LB3B ransomware challenges any forensic security analyst. It has an advanced obfuscation that makes it difficult to search for evidence that demonstrates the behavior of the artifact. This article describes an analysis of memory captured at the time of infection in a host.

The tools and test environment

The test environment brings together a Kali Linux (2022.4 release) virtual machine (to run Volatility 3) and a Windows 10 virtual machine. The following tools are installed on the Windows 10 machine:

a) The Sysinternals Suite for using tools such as: procexp, autoruns, procmon, and sigcheck

b) FTKImager (version

c) XDBG64 (to parse some function calls from Lb3.exe)

d) Ghidra (to parse the LB3.exe code)

The Windows 10 infection stages and snapshots

In this forensic analysis, the Windows 10 virtual machine (running on VMWare Workstation 16) was infected twice. The first infection process is called infected1; and infected2 is the second one, as shown in Figure 1. All phases of this test environment appear in the snapshots created for each stage. For both cases, the LB3.exe file was generated by the Builder.bat file and executed in the specific infection stages.


Paulo Pereira
Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023