Analysis Overview
SHA256
15306331281bba9dae9a8c13b02d24137650cfe293cad61ec2580c9a70194eb1
Threat Level: Known bad
The file test.zip.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-24 09:21
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-24 09:21
Reported
2022-09-24 09:26
Platform
win7-20220812-en
Max time kernel
43s
Max time network
46s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
Files
memory/1944-54-0x0000000000000000-mapping.dmp
memory/1944-55-0x0000000076031000-0x0000000076033000-memory.dmp
memory/1580-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 820b5858b14106641436aedde5f11e55 |
| SHA1 | 843682efbf99e4a9743e43e949484cf379f34bf1 |
| SHA256 | 964bd2f6be853f02dc7b6347b7bb74263561f32403a04687dc88ac5eccbcf215 |
| SHA512 | 7067daa332410fbd77ab31205014d89294af82af7874109ece3e4fc1f4b08f1b545e4464461fe4361d8df7fed930f672e8b6cfa32843a57478ced87511c0cc59 |
memory/1756-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | 507c8356b1fff4f7261edf6a78b5c45f |
| SHA1 | 3be48c8f646ef1469ce3c9d8fa657adf5fc9b8f9 |
| SHA256 | 32c5711f8ae643098fdb960594b37a22a117681d0c5b4bc3b7ce2e72c9bbd1c8 |
| SHA512 | d7c43a594930a9f6630e35b089c1903b680bb9c83978291afc8117dcf0268baf63c0dbbecd4f73cba318ce4e4caa899b32f0a0446a30e3754db923de5b937e7e |
memory/628-62-0x0000000000000000-mapping.dmp
memory/1768-64-0x0000000000000000-mapping.dmp
memory/908-66-0x0000000000000000-mapping.dmp
memory/1664-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-24 09:21
Reported
2022-09-24 09:26
Platform
win10v2004-20220812-en
Max time kernel
61s
Max time network
146s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 13.69.109.130:443 | tcp |
Files
memory/2956-132-0x0000000000000000-mapping.dmp
memory/3592-133-0x0000000000000000-mapping.dmp
memory/3192-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 2cf861a5be792a044277b220f88d1e2a |
| SHA1 | d0f2f0b07b34e3acb0fba0edb92f76aed7fcbae5 |
| SHA256 | 51f67a69d4b4b75808b7e07bf931d5e4dd1112541d471b42ad9a868eae4f1bfa |
| SHA512 | a7993bf28bb1863f854a5253008e463c7106d7dc0379d2f787eba5be8f06cdabaef7bded4aab45dd4a3fbe566c244a8b3afd9fbe4d665e1147f49c2677e682b7 |
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | 03ebe2b097e7b9663d255f2b20222baa |
| SHA1 | 00b8b57cc04209b8e2c27e83f52f22074ec2a2f3 |
| SHA256 | 6d384597266488af718d4433bc02b31aa18293a6232c6ab8dc2a7d67d9b38823 |
| SHA512 | ad355e435b3c2a2d3f9e45a93cc1a935e3710f96fa160f32b498195186b2a71f1eb63e71cfa665f138b4d785c76c69bae6ac9372cd5dcbbe57111e5c37b4f68c |
memory/2604-137-0x0000000000000000-mapping.dmp
memory/3176-138-0x0000000000000000-mapping.dmp
memory/4488-139-0x0000000000000000-mapping.dmp
memory/4580-140-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-24 09:21
Reported
2022-09-24 09:26
Platform
win7-20220812-en
Max time kernel
43s
Max time network
46s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
Files
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-24 09:21
Reported
2022-09-24 09:26
Platform
win10v2004-20220901-en
Max time kernel
103s
Max time network
147s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.84:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.229.204:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-24 09:21
Reported
2022-09-24 09:26
Platform
win7-20220812-en
Max time kernel
41s
Max time network
44s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
Files
memory/1996-54-0x0000000074C11000-0x0000000074C13000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-24 09:21
Reported
2022-09-24 09:26
Platform
win10v2004-20220812-en
Max time kernel
62s
Max time network
148s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| AU | 104.46.162.224:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp |