LockBit
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
8 syscalls cited
- NtTerminateProcess
Terminates a target process and all of its threads with a given exit status.
- NtSuspendProcess
Suspends every thread in a target process by incrementing each thread's suspend count.
- NtResumeProcess
Decrements every thread's suspend count in a target process, resuming threads that reach zero.
- NtRaiseHardError
Raises a 'hard error' that the kernel routes to CSRSS for UI prompting — or, with SeShutdownPrivilege and FATAL severity, triggers an immediate bugcheck (BSOD).
- NtCreateFile
Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.
- NtWriteFile
Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.
- NtSetInformationFile
Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.
- NtDuplicateObject
Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.