Malware Analysis Report

2024-10-16 03:22

Sample ID 220922-ej8lnadebj
Target LockBit3Builder.zip
SHA256 07f022c9e5d007d17ab6aef023551b2c4a2f806df0397c4c5c517b0e76d49ab1
Tags
blackmatter
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07f022c9e5d007d17ab6aef023551b2c4a2f806df0397c4c5c517b0e76d49ab1

Threat Level: Known bad

The file LockBit3Builder.zip was found to be: Known bad.

Malicious Activity Summary

blackmatter

Blackmatter family

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-22 03:59

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-22 03:59

Reported

2022-09-22 04:00

Platform

win10v2004-20220812-en

Max time kernel

32s

Max time network

35s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit3Builder.zip

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\keygen.exe
PID 4548 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\keygen.exe
PID 4548 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\keygen.exe
PID 4548 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe
PID 4548 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit3Builder.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build.bat" "

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\keygen.exe

keygen -path C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

builder -type dec -privkey C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\LB3Decryptor.exe

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\LB3.exe

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\LB3_pass.exe

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\LB3_Rundll32.dll

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\LB3_ReflectiveDll_DllMain.dll

Network

Files

memory/4520-132-0x0000000000000000-mapping.dmp

memory/4084-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\priv.key

MD5 e8600afebd1f7421fbf57099d42dfa1b
SHA1 1cf7bd166c34ffeb9440b68a10d01f511e8db890
SHA256 3397ebb13705235773173a08b6a8c2060ec72f469f2a00dfdf39d7137ab8df5c
SHA512 64481188c94669ca34ad546a6c2063dbbd20dc485322999a4f6c7576fd18f1c7220bff01aacff62f079c05236e614f0b866b8aa2888c75edf0d0cb4f0da79913

memory/2476-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\LockBit3Builder\LockBit3Builder\Build\pub.key

MD5 b4b782f810f70700875959f7371f4c9f
SHA1 5bcc6e1ea4c51e6c13afc3a844920b7dcb3af229
SHA256 474faf8952d3b3ad57ca6518982f756e350d4073529d2ec0bb7b84bb8d71cfe5
SHA512 eea7c5dcac71066551654bf04e834f5cd0da777a817abb3daf7405548ad923799f6fdd2ca531e5e26ae8892adb2e8607e14934ad968a473fdf317d51e423a71a

memory/2816-137-0x0000000000000000-mapping.dmp

memory/3932-138-0x0000000000000000-mapping.dmp

memory/1296-139-0x0000000000000000-mapping.dmp

memory/1244-140-0x0000000000000000-mapping.dmp