Analysis Overview
SHA256
453eebd2dcf98e15e9ccab2c706438a9d34497631db1f64b6fe9cc3ed41696da
Threat Level: Known bad
The file LockBit3Builder.7z was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-10-10 18:05
Signatures
Blackmatter family
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-10 18:05
Reported
2022-10-10 18:06
Platform
win10v2004-20220812-en
Max time kernel
30s
Max time network
32s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.152.110.14:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-10-10 18:05
Reported
2022-10-10 18:06
Platform
win10v2004-20220901-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-10 18:05
Reported
2022-10-10 18:06
Platform
win10v2004-20220812-en
Max time kernel
30s
Max time network
32s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| NL | 95.101.78.106:80 | tcp | |
| NL | 95.101.78.106:80 | tcp |
Files
memory/4580-132-0x0000000000000000-mapping.dmp
memory/4684-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 95e39f912d9a289bac37f776619aaa3f |
| SHA1 | 27cab33176de5d3cc7e3217c5e8e6846a22fa637 |
| SHA256 | b2729a3596e28f80c734956b4f39c7729752d63e325d09468301718354ae18f5 |
| SHA512 | 2feaf14a9826ea1da743608c9589b54e4756f7b7d1ec533a92d07938583dfbc3d89eefa6b6d0388f4578b6bee51924d23beeda9f91804652e646da16b0a8b27a |
memory/1652-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | c1eef781c6921dcb7f6b7fc86f37029f |
| SHA1 | 3aae83d49cf85db840a4f77956e43c53bb4623cd |
| SHA256 | 451c3bf60170ac1ba09e6e89f2bdf3e47874b4aa517c52bce6249a6cc2476a4f |
| SHA512 | 271bcbd08b1b39b38d169c578abd9b276a18301e9db588e9a746b96f1e7c4d3ae2dc7860d9edb309009abbe111f225cefbec71f19fc88e871953068927ffe688 |
memory/4964-137-0x0000000000000000-mapping.dmp
memory/2972-138-0x0000000000000000-mapping.dmp
memory/2368-139-0x0000000000000000-mapping.dmp
memory/4884-140-0x0000000000000000-mapping.dmp