Analysis Overview
SHA256
cf39b9aff5b66d9e122fa0d8a8936dd8264eed0d889079b9043d7d0dd9fb6596
Threat Level: Known bad
The file Archive.zip.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-24 08:58
Signatures
Blackmatter family
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-24 08:57
Reported
2022-09-24 09:00
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
143s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 95.101.78.82:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| LU | 66.203.125.11:443 | tcp | |
| LU | 66.203.125.11:443 | tcp | |
| NL | 8.248.5.254:80 | tcp | |
| NL | 8.248.5.254:80 | tcp |
Files
memory/4760-132-0x0000000000000000-mapping.dmp
memory/4720-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 06ea004d1a837409185f8c466ee164a3 |
| SHA1 | 0ef9370b36a4f1b8b72d547ce6757374cd39035c |
| SHA256 | aaa934b3374fae9261266acde24ac789520f3820bf2c4451492fe93aad8e9185 |
| SHA512 | 0ee5a2b49743ac8aa2fe332b4dadd98c4c23ff6046f6ad0fcadde120b71e374ef2f5b52fb27aba3908ffc583ddf4c68b6efaa183c4b13ec806ccf108de512ff8 |
memory/4744-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | 34c0d111e3733f9c4fac39c727a2dc4f |
| SHA1 | 18026aff3d8acf94b2a52d75592e4ad908cc320b |
| SHA256 | b078816093e94e75952d6ff846d4b6d09faed44ede4620aca17c8d74650946ab |
| SHA512 | 404ea13cfcf59b80845b94beb22d2e926bfa056fbe815653950e63932248c8032ca93eb0509fd09cee4d64f02cffd88796049b93ea2812b433ab19116a386a36 |
memory/4632-137-0x0000000000000000-mapping.dmp
memory/1640-138-0x0000000000000000-mapping.dmp
memory/4192-139-0x0000000000000000-mapping.dmp
memory/3508-140-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-24 08:57
Reported
2022-09-24 09:00
Platform
win7-20220901-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
Files
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-24 08:57
Reported
2022-09-24 09:00
Platform
win10v2004-20220812-en
Max time kernel
90s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.225.205:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-24 08:57
Reported
2022-09-24 09:00
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
Files
memory/1948-54-0x0000000075F51000-0x0000000075F53000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-24 08:57
Reported
2022-09-24 09:00
Platform
win10v2004-20220812-en
Max time kernel
61s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| AU | 104.46.162.224:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-24 08:57
Reported
2022-09-24 09:00
Platform
win7-20220812-en
Max time kernel
43s
Max time network
46s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
Files
memory/1716-54-0x0000000000000000-mapping.dmp
memory/1716-55-0x0000000076041000-0x0000000076043000-memory.dmp
memory/1816-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | d390e99569d559576ef2829dfc78a1d1 |
| SHA1 | bacfdb298242e36f15745380d481fe3f92cf3854 |
| SHA256 | 7ac9ff628e46383ae42dd54d4dd74913800d8619ce950f2be9c2f4c6fa689bf9 |
| SHA512 | 173fc745f9ae984dea3d68bc606fceae90a4228b57b339577fcb3259e5b198ef53e9f6f7478e7e578c0beb7f0dda29156d64e863e8748c0c98855a9d421c90ca |
memory/1580-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | ea495b886390709f3b80293acadbd43e |
| SHA1 | cfe7956c9d0d34d7ccef9a5e948bc39251e21b1c |
| SHA256 | 97a61fd8a2270d07ccd704ac676daa9305d47de5cb773389196512c6bb08f816 |
| SHA512 | f170e1102f50696ec7343b331ed133349514f8f55666c6830e98829c2edad5288b536a9e3888f94c88725fbb8c8c2f2cef58e266ec0e29515865707fe0a1482f |
memory/1380-62-0x0000000000000000-mapping.dmp
memory/1584-64-0x0000000000000000-mapping.dmp
memory/1664-66-0x0000000000000000-mapping.dmp
memory/1684-68-0x0000000000000000-mapping.dmp