Analysis Overview
SHA256
453eebd2dcf98e15e9ccab2c706438a9d34497631db1f64b6fe9cc3ed41696da
Threat Level: Known bad
The file LockBit3Builder.7z was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-01 11:16
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win7-20220812-en
Max time kernel
41s
Max time network
44s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
Files
memory/1340-54-0x0000000000000000-mapping.dmp
memory/1340-55-0x0000000076151000-0x0000000076153000-memory.dmp
memory/616-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 95fb0b8f42833da0b1c01079b265b46d |
| SHA1 | d6002d01fb128bca8484432c79d83ff123e74d73 |
| SHA256 | bc06b43e11f975d49097847188e63c8424973712db75fc97791c27c111600cd9 |
| SHA512 | 83e61567b91286c2ed4016f5e8bc01b5edbceb34fa84a5def056ab74541eb3051a8c6128b5e3385de3c0573063b3bda855048190a0896ca52ff19f8fec0e9544 |
memory/1528-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | 40d79d57406c0224a32b4c90d301227f |
| SHA1 | c7ea6cd5e25d84d4e6cbd4cb9d56cae0e5ee4164 |
| SHA256 | 3095f4d9488249ebc7f3e02bbefdce6f44d4e984ebb34540e1e311eea2fb2e2e |
| SHA512 | 8bddd23ba28b8061d35e8cf667039d0720ca28b913077f035876963b2668914812f0caaf20d893a40637e2aacc28806269c94af6f17804f421ab03b2b9ef5c13 |
memory/944-62-0x0000000000000000-mapping.dmp
memory/940-64-0x0000000000000000-mapping.dmp
memory/956-66-0x0000000000000000-mapping.dmp
memory/1736-68-0x0000000000000000-mapping.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
Files
memory/1688-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win10v2004-20220812-en
Max time kernel
90s
Max time network
129s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.210:443 | tcp | |
| US | 67.24.171.254:80 | tcp | |
| US | 67.24.171.254:80 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\config.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| BE | 8.238.110.126:80 | tcp | |
| US | 13.89.179.10:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win10v2004-20220901-en
Max time kernel
90s
Max time network
149s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/5088-132-0x0000000000000000-mapping.dmp
memory/632-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | d277ba5ee35365b05fa8bb0cedae050c |
| SHA1 | 00ae921d98c8f8317930b7fada9a98c68bc7b751 |
| SHA256 | f2add1b8ab6d4f6e69a4412d9e5782fb1d20731d39b74637e15e026be3caa610 |
| SHA512 | f43a9db8a8bd4364d40acd3bd8ae118040a0ea1b3979c04a4c02be87b991574f41c5996fff3b72bc736d7f93fb277e6b7f0f473f52a23719a7a0cffb10d34bae |
memory/2772-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | ce70bed8acffd9dcac7b5f25d29122de |
| SHA1 | 3755216a289c30acbf58c667d64fbe8bd4fbe0e5 |
| SHA256 | bf0d61de11b5e2b69a606e74329d96bb573c29e6af54831be85efa60ca0c37fd |
| SHA512 | 310a1f1fbd4a2049d246d1d408bc4dbee74b7be8318b4abf8dcf7f75c3c5bd798db3002225ec6fd753cb36724d4a73c13410138736cc1955fe1833621e9d3915 |
memory/1384-137-0x0000000000000000-mapping.dmp
memory/2540-138-0x0000000000000000-mapping.dmp
memory/3784-139-0x0000000000000000-mapping.dmp
memory/1580-140-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win7-20220812-en
Max time kernel
150s
Max time network
43s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
Files
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp
memory/888-55-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win10v2004-20220812-en
Max time kernel
98s
Max time network
131s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| DE | 51.116.253.170:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-10-01 11:16
Reported
2022-10-01 11:19
Platform
win7-20220812-en
Max time kernel
150s
Max time network
46s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1336 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1336 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 952 wrote to memory of 344 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 952 wrote to memory of 344 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 952 wrote to memory of 344 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 952 wrote to memory of 344 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\config.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\config.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\config.json"
Network
Files
memory/1336-54-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
memory/952-76-0x0000000000000000-mapping.dmp
memory/344-81-0x0000000000000000-mapping.dmp
memory/344-82-0x00000000762D1000-0x00000000762D3000-memory.dmp