Malware Analysis Report

2024-10-16 03:23

Sample ID 221113-wll9wacb66
Target a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
SHA256 b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154
Tags
blackmatter
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154

Threat Level: Known bad

The file a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip was found to be: Known bad.

Malicious Activity Summary

blackmatter

Blackmatter family

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-11-13 18:00

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win7-20220812-en

Max time kernel

40s

Max time network

43s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 1504 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 1504 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 1504 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 1504 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 1504 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll

Network

N/A

Files

memory/1472-54-0x0000000000000000-mapping.dmp

memory/1472-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

memory/1144-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key

MD5 0cf778dbdc46e5312713ca80f87d11fa
SHA1 7cefdee8da3e66c9bb9b200bb2970b2817aee51a
SHA256 a2c53ba07122066aa8a6aa2e1a28b1b6ed30c104768d2919e2fdc40ecb841936
SHA512 89b4e425a0b6d5c981f08bd11fa72194bea64a9fadc7d9beae419da1eafac6ecef36d69ba779421ae9d9b22c3fe4f76f9d9587bd35ec9119cc921bb007f612dc

memory/760-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key

MD5 c50ba2951e2b688a7f3949ffb19295f2
SHA1 3a62ebd8889e66beedcb735348420187f75b56c8
SHA256 af8a0399819e5bcf357c68be7749a28e76c6b1faf9807a660e0261395a488a0e
SHA512 815bf0b182b63f94750239989458ca2d9d644473e14b24f5d1aefe79eaedae4a261a8b192d217128105ccb99b4ef6fb32fda976dda540efa92b9675a17123d35

memory/888-62-0x0000000000000000-mapping.dmp

memory/800-64-0x0000000000000000-mapping.dmp

memory/1620-66-0x0000000000000000-mapping.dmp

memory/1724-68-0x0000000000000000-mapping.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win10v2004-20220812-en

Max time kernel

138s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 2280 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 2280 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 2280 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 2280 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 20.189.173.14:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2544-132-0x0000000000000000-mapping.dmp

memory/1844-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key

MD5 5946bf575aeea7f2fba6050e25af3803
SHA1 28d78f48c0d00996df41f7b6326e6d7bd3b7df0c
SHA256 aaa353efc6cd20bcc25d080b4bb1d39f46193967982c0d55079c18519a3b41b3
SHA512 92c0a5dc8adbaa2af86c5662c3749292d926ad5b123e88c75db3a79a7f403e76deea326d20d228b8a226b672cd60a8b9c58e0115b0247c9bd168d94984d6d2eb

memory/1556-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key

MD5 515c832372cebdbf67d1c6e5cd4cb0dc
SHA1 13a125d2567b70989b9f42e3125ff8846acb16f0
SHA256 abd76a3834aee7c9450786f85ff7a6e04629809a219a3a2d83bb558885157958
SHA512 fd39e61c75ba9f63e5de92621f25914798e7fb9990851d2af48ae67e9120cc0acbb1e22526936ceb004023da0438bb13f3f481e3e9bb3b30a7ec0c86cf312606

memory/3972-137-0x0000000000000000-mapping.dmp

memory/3400-138-0x0000000000000000-mapping.dmp

memory/3256-139-0x0000000000000000-mapping.dmp

memory/3728-140-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win10-20220812-en

Max time kernel

52s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"

Network

Country Destination Domain Proto
N/A 13.89.178.26:443 tcp

Files

memory/2696-119-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-120-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-121-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-122-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-123-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-124-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-125-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-127-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-126-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-128-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-129-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-130-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-131-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-132-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-133-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-134-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-135-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-136-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-137-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-138-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-139-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-140-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-141-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-142-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-143-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-144-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-145-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-146-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-147-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-148-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-149-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2696-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win10-20220901-en

Max time kernel

51s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"

Network

Country Destination Domain Proto
N/A 20.50.73.10:443 tcp
N/A 13.107.4.50:80 tcp

Files

memory/3504-117-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-118-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-119-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-120-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-121-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-122-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-123-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-124-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-125-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-126-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-127-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-128-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-129-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-130-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-131-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-132-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-133-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-134-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-135-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-136-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-137-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-138-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-139-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-140-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-141-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-142-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-143-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-144-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-145-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-146-0x00000000771E0000-0x000000007736E000-memory.dmp

memory/3504-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win10-20220812-en

Max time kernel

49s

Max time network

147s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 392 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 392 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe
PID 392 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe
PID 392 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LockBit30\Build.bat"

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\LockBit30\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll

Network

N/A

Files

memory/3084-119-0x0000000000000000-mapping.dmp

memory/3084-120-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-121-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-122-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-123-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-124-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-125-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-126-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-127-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-128-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-129-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-130-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-131-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-132-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-133-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-134-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-135-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-136-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-137-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-138-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-139-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-140-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-141-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-142-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-143-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-144-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-145-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-146-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-147-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-148-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-150-0x0000000077480000-0x000000007760E000-memory.dmp

memory/3084-149-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-151-0x0000000000000000-mapping.dmp

memory/2260-153-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-152-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-154-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-155-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-156-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-157-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-158-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-159-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-160-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-161-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-162-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-163-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-164-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-165-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-166-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-167-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-168-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-169-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-170-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-172-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-173-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-174-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-175-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-177-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-178-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-180-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-182-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-183-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-181-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-179-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-176-0x0000000077480000-0x000000007760E000-memory.dmp

memory/2260-171-0x0000000077480000-0x000000007760E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\priv.key

MD5 c132f4862c68786dfba9743ff4d06006
SHA1 2fbdaa3d52a43610fb9691ad9751180d86eef876
SHA256 45ac057fbfef18b23dcec0dd88271f7f87107716881c576e440eaaaa85f81021
SHA512 06d9b4cfcbe7cbaf28e8cb0d689224c60e5601b7b35488d6ea373e5583bcbf28ea15cf5af138fa64d4938cb8b72c05e85d74351900dc558bdc475f818e8f2c16

memory/4580-185-0x0000000000000000-mapping.dmp

memory/4580-186-0x0000000077480000-0x000000007760E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LockBit30\Build\pub.key

MD5 f6ff95aab9fc53175163c1fcdac05691
SHA1 37ebedd9325260277deca69636996082d45a5c69
SHA256 81eb8c4fbac9245a36af6d15e220fc392283dca7b3571e394c072ec6a2aa8421
SHA512 88b08c1cb1c9d241f46dbf54633361c9042d8f206839cb5794da5ed7f2996fa721c90db338e20e0e94c19854d2b5b73c72f2d252cbe209894000967ec43685e6

memory/1524-217-0x0000000000000000-mapping.dmp

memory/4600-248-0x0000000000000000-mapping.dmp

memory/4908-279-0x0000000000000000-mapping.dmp

memory/3276-310-0x0000000000000000-mapping.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win7-20220901-en

Max time kernel

44s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"

Network

N/A

Files

memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win10v2004-20220812-en

Max time kernel

106s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe

"C:\Users\Admin\AppData\Local\Temp\LockBit30\builder.exe"

Network

Country Destination Domain Proto
N/A 20.189.173.10:443 tcp
N/A 8.253.208.113:80 tcp
N/A 8.253.208.113:80 tcp
N/A 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win7-20220812-en

Max time kernel

38s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"

Network

N/A

Files

memory/544-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2022-11-13 18:00

Reported

2022-11-13 18:03

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\LockBit30\keygen.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 104.46.162.224:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp

Files

N/A