Malware Analysis Report

2024-10-16 03:22

Sample ID 220922-1n8ywagbeq
Target Desktop.rar
SHA256 49261ea0d0c417ebae0e0fb1e56ad02cb7fe9ae16a76edb7c4e70c754b53370f
Tags
blackmatter
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49261ea0d0c417ebae0e0fb1e56ad02cb7fe9ae16a76edb7c4e70c754b53370f

Threat Level: Known bad

The file Desktop.rar was found to be: Known bad.

Malicious Activity Summary

blackmatter

Blackmatter family

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-22 21:48

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-22 21:48

Reported

2022-09-22 21:49

Platform

win10v2004-20220812-en

Max time kernel

30s

Max time network

32s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4636 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 4636 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 4636 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 4636 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe
PID 4636 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\builder.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll

Network

Files

memory/3196-132-0x0000000000000000-mapping.dmp

memory/3544-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Build\priv.key

MD5 9844125e309999a9e880ff2bb4e07066
SHA1 74cebd392abb7196bbb8e56a1e520fda84d850ac
SHA256 de3a731befd37ee0e7c80a294f2e60a131f318d9de9e8878f05150f03f0d5507
SHA512 c890412b7908bda24868dbd37827d5b2c078d6ee6e2a998550ed29af107ece16249361a76a380c9c081794f1ba9c4d393e6eec4496de47c4d83fa2e6b85d7f28

memory/4132-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Build\pub.key

MD5 538e67c91ac9ee8b8480fa3552de00bf
SHA1 5fcd1944a59964e8b59f20acb5ed00c3ebf7c41c
SHA256 9cd1836ad2ae866cdd37c1abfbd185e9fadc6d11166e0cbcb68bfbc199e123cd
SHA512 3dba86b32e003415d14510f806f6bd3e3036fd848d12335af86245d540c415fe39aa310b1287001d7fc288e7e7077f33e4bf8e7616ec5df7e09affbc3daf56b5

memory/2756-137-0x0000000000000000-mapping.dmp

memory/1688-138-0x0000000000000000-mapping.dmp

memory/828-139-0x0000000000000000-mapping.dmp

memory/1844-140-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-22 21:48

Reported

2022-09-22 21:49

Platform

win10v2004-20220901-en

Max time kernel

30s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\builder.exe

"C:\Users\Admin\AppData\Local\Temp\builder.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.189.173.1:443 tcp
N/A 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-09-22 21:48

Reported

2022-09-22 21:49

Platform

win10v2004-20220812-en

Max time kernel

30s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\keygen.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 52.152.110.14:443 tcp

Files

N/A