Analysis Overview
SHA256
a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d
Threat Level: Known bad
The file LockBit30.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-21 11:22
Signatures
Blackmatter family
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-21 11:22
Reported
2022-09-21 11:25
Platform
win7-20220812-en
Max time kernel
40s
Max time network
43s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"
Network
Files
memory/1516-54-0x0000000075841000-0x0000000075843000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-21 11:22
Reported
2022-09-21 11:25
Platform
win10v2004-20220812-en
Max time kernel
134s
Max time network
146s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.238.20.126:80 | tcp | |
| US | 8.247.210.126:80 | tcp | |
| US | 20.42.65.84:443 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-21 11:22
Reported
2022-09-21 11:25
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"
C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
Network
Files
memory/1588-54-0x0000000000000000-mapping.dmp
memory/1588-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp
memory/1728-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key
| MD5 | 83e234fa6ee3bd2cf152d41051edc19a |
| SHA1 | a43627bb23c9027aa23691d2e91c550aa569b345 |
| SHA256 | 74b0cd8b83915847162ae7ed20e7bb16eb892e8498d4e4256114a09bf0e3b80c |
| SHA512 | b154722ec9b48b7a968e9a3f43fe5086a89d858df66316907053ca999ae042f133286d979b7a946a341241d485c0b9e3fff5094340fdcf81078345e1590d1036 |
memory/1508-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key
| MD5 | 944d8f924036fb783a9763da83bfabd4 |
| SHA1 | affe367f5df58ddf15b8c8729438be2cefa70301 |
| SHA256 | 9e65437c93485aebd28db59715a4b1c6ed9f6d4b0ba0ea75aa5b56019b18e359 |
| SHA512 | 3fa0e4eb792bddacfbec9866325b7e8b277bcf5adc1da9079fd565706b1f621ba930ee8e071d6a8fa53a5b94c8001ec8aaf78e66504ce3b424af5fa8eab92a74 |
memory/1740-62-0x0000000000000000-mapping.dmp
memory/1348-64-0x0000000000000000-mapping.dmp
memory/988-66-0x0000000000000000-mapping.dmp
memory/1992-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-21 11:22
Reported
2022-09-21 11:25
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
149s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"
C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| IE | 13.69.239.72:443 | tcp |
Files
memory/544-132-0x0000000000000000-mapping.dmp
memory/2880-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key
| MD5 | 541840b9aa47d7ef280341dfc8b2b198 |
| SHA1 | 85e00aceba01b8c228077d97a0caf609164f7e12 |
| SHA256 | e2b26a978fff7d59e087e349d5a6ddbd876836e330df8e7c37712b8b61089f8e |
| SHA512 | d1be3dc2cdf0dfdd8eda00d3fcd08fae4c73b93e92c59076d4cc8202a75bca44d813aa14064f49beb4b97d08d379097bdf3cfa132d50ab7524dbd23ea9be9919 |
memory/3544-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key
| MD5 | 873c164483e5d8940b729ac007d74608 |
| SHA1 | b990d25092038d6c9ec61e0e52b26f4c5b2d6e3a |
| SHA256 | c9de6238ba7eee2486ff6eee3fc860be669b6dba5297bf4a3fc368f020967013 |
| SHA512 | 66897fd2f1cd97bdfab39c7b4c3e35fb4fd845bd2a824660d4a90f0a3f430465266fc25e4f1233b72f8c88246eb1c326806aeeedabee2c0afa6babbd046fb857 |
memory/3700-137-0x0000000000000000-mapping.dmp
memory/2396-138-0x0000000000000000-mapping.dmp
memory/928-139-0x0000000000000000-mapping.dmp
memory/1192-140-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-21 11:22
Reported
2022-09-21 11:25
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"
Network
Files
memory/1912-54-0x00000000763F1000-0x00000000763F3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-21 11:22
Reported
2022-09-21 11:25
Platform
win10v2004-20220901-en
Max time kernel
75s
Max time network
138s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp |