Analysis Overview
SHA256
528702f6407cf8dd4934c0bcdb0d719f57f49f10bc9103da59888386572c9b5e
Threat Level: Known bad
The file lockbit.zip.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-24 08:54
Signatures
Blackmatter family
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-24 08:54
Reported
2022-09-24 08:56
Platform
win7-20220812-en
Max time kernel
43s
Max time network
46s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
Files
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-24 08:54
Reported
2022-09-24 08:56
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
146s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.153:421 | tcp | |
| RU | 176.113.115.155:421 | tcp | |
| RU | 176.113.115.154:421 | tcp | |
| RU | 176.113.115.157:421 | tcp | |
| RU | 176.113.115.156:421 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| BG | 213.91.128.133:10060 | tcp | |
| NL | 104.80.225.205:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-24 08:54
Reported
2022-09-24 08:56
Platform
win7-20220901-en
Max time kernel
48s
Max time network
51s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
Files
memory/1060-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-24 08:54
Reported
2022-09-24 08:56
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
132s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-24 08:54
Reported
2022-09-24 08:57
Platform
win7-20220901-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
Files
memory/968-54-0x0000000000000000-mapping.dmp
memory/968-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
memory/1832-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 52c64d2b009c15abe8890e0aadf52692 |
| SHA1 | c9243886857a9176374912d8afd2d9c541a58f13 |
| SHA256 | 4e8c8b2dfeb1824e49ae7c144cabf2d2a3039b68fb07ed22ca46dda24b4ba4f3 |
| SHA512 | d59bb874d2b49e95c05307a19b6423e0a3097437b5ea6145b6c35bf1a45d850745dd27946f29463aba9c6bb3e5b731b3c939e8ac1f2375b329f4aefe46fb9b5d |
memory/1640-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | 30527fac5024d3cda3b6750f5fb5f0a4 |
| SHA1 | bf7408320b05d85d36c82490d94ec4c17ed51f75 |
| SHA256 | 39abba5465935540c2ab030ec165731dff0129a7eb4d411dc71b266fdb5f82eb |
| SHA512 | 303efa42a09b720fe5836961fe72cdda1364f863a848e95e77a69d7acd6a236bfcaa841c1e3de76a70d6c54a5d56a1cef1b1830e5aa73ad8abcec530fc8bee99 |
memory/1636-62-0x0000000000000000-mapping.dmp
memory/1008-64-0x0000000000000000-mapping.dmp
memory/856-66-0x0000000000000000-mapping.dmp
memory/556-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-24 08:54
Reported
2022-09-24 08:56
Platform
win10v2004-20220812-en
Max time kernel
78s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| NL | 95.101.78.106:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 20.44.10.122:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
memory/4040-132-0x0000000000000000-mapping.dmp
memory/3344-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | e581f5b03f0829e513c03e2469e1a513 |
| SHA1 | a52bb1d40ff8db2c79950c50d78ec2cec4525d58 |
| SHA256 | 35a4eef1759615e35eadf51dcbbacc6ed9b4005ee70db23ed83bda364ff18363 |
| SHA512 | e9847dcbfd0c6aacc43e0787a95bbfe2b080ff05250d635b089349ac5695a4c71ed2f8b591be77b30f3bb255ff9f7acd0604ed117131b85d23f88ea83dad1c98 |
memory/4068-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | e181ae9e976e8cd643289cca1780b475 |
| SHA1 | 2df7c3157336da05c94ee80deb32ed24b7a9bd6b |
| SHA256 | c666bcfe1a214c4e5cd020ce81ef5bcfc16fad565bef8615c6e63f736b34a87b |
| SHA512 | 566dc8a3997f6c1df91576c25f07813b2eb45f0df72d279e2382d317d03a279e6afa0543ce79ec11191aa3ee1ac0c73438bb22e2f6abf3911bf896e9e80afe71 |
memory/4816-137-0x0000000000000000-mapping.dmp
memory/4916-138-0x0000000000000000-mapping.dmp
memory/4872-139-0x0000000000000000-mapping.dmp
memory/5080-140-0x0000000000000000-mapping.dmp