Analysis Overview
SHA256
1d6561c4714fadf16bcfb244a5444a959a953424d8e2c6acca6ccb2e20117e74
Threat Level: Known bad
The file LockBit30.7z was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-29 14:17
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-29 14:12
Reported
2022-09-29 14:23
Platform
win10v2004-20220812-en
Max time kernel
69s
Max time network
76s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| DE | 51.116.253.168:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp |
Files
memory/916-132-0x0000000000000000-mapping.dmp
memory/2292-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | a01fe80bd439daf7b3ce844d6d049c87 |
| SHA1 | 59b99d611349fc473c32e5320623783d08191364 |
| SHA256 | c90f0d8583f70b2814f7e76253342a177a0fe1739265a576d415b2a0fd21df01 |
| SHA512 | e515043c50f629904e69fac3ec0f38a4d3d15e00234e1dab302bf351861450fe4ddd9de8119e8ef15f9e35b47a35481208cd0898297fbd0bae330d6b28b26e66 |
memory/4328-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | c33caeb2fed30526198b3e2089b22b45 |
| SHA1 | dc4ca0943ed8aaeb37af473e4e68ead73f46aa3f |
| SHA256 | a9e49a832783226897e48ed26b46b08621f8f9a08c2c69b1462ccb07b9334090 |
| SHA512 | a2410c66c21dc2d063d0efb9fd4066bc5708682af190372e443e49426b88a3941f57cdc746112e9243fabd4950697f0948fabf550a2460637bccf8129b9734dd |
memory/4740-137-0x0000000000000000-mapping.dmp
memory/4936-138-0x0000000000000000-mapping.dmp
memory/4760-139-0x0000000000000000-mapping.dmp
memory/4660-140-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-29 14:12
Reported
2022-09-29 14:23
Platform
win10v2004-20220901-en
Max time kernel
64s
Max time network
68s
Command Line
Signatures
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\SuspendEnable.reg"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-29 14:12
Reported
2022-09-29 14:23
Platform
win10v2004-20220812-en
Max time kernel
80s
Max time network
83s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\config.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| DE | 20.52.64.200:443 | tcp | |
| NL | 87.248.202.1:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-29 14:12
Reported
2022-09-29 14:23
Platform
win10v2004-20220812-en
Max time kernel
85s
Max time network
88s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| DE | 51.116.253.168:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 209.197.3.8:80 | tcp |