Analysis Overview
SHA256
37185d9df180b61b06b0b411723571eed293ca1d2c3e1c28a74a5fd72e5d9e7b
Threat Level: Known bad
The file LockBit-Black-Builder-main.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-12-29 09:55
Signatures
Blackmatter family
Analysis: behavioral5
Detonation Overview
Submitted
2022-12-29 09:55
Reported
2022-12-29 09:58
Platform
win7-20221111-en
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
Files
memory/1236-54-0x0000000076941000-0x0000000076943000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-12-29 09:55
Reported
2022-12-29 09:58
Platform
win10v2004-20221111-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 20.189.173.3:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-29 09:55
Reported
2022-12-29 09:58
Platform
win7-20220901-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
Files
memory/1116-54-0x0000000000000000-mapping.dmp
memory/1116-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
memory/276-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | dd192e734605f79fa2e50b0bb7dd3a6e |
| SHA1 | bf7e529a4e3a11d110576c310104dd4b13fe704d |
| SHA256 | ddcc742dfe0c9393f4bdd5968db2efb3b01700a67d141cdcd8af067c0cdabca7 |
| SHA512 | c211e5e2f75a63b6131224be2d5be64596a90d7f225467b1cbdbc3a65b1029a9e3bd10ebd5ab8b73acd67e204a1c1dea89eaa8c76dd6b6467594fa23dbf06525 |
memory/1360-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | f0e0b3622b6e84fb25096a277eda5efa |
| SHA1 | 267f7d7cf8df4f00582cafc40930a947da5a03d4 |
| SHA256 | 60ed17134f4ef9b8f98b6ce533bf8f0447bd946fdb6bd300d79390764ded2090 |
| SHA512 | 9997689fe4127f025d605c01184dbb9099fc0105434f2f9abec5afb848ac9cb80c66f0c5af346eee3e93baa0c297da33cc9ecac23c5593d47f19616c51fb73cb |
memory/296-62-0x0000000000000000-mapping.dmp
memory/576-64-0x0000000000000000-mapping.dmp
memory/540-66-0x0000000000000000-mapping.dmp
memory/1488-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-29 09:55
Reported
2022-12-29 09:58
Platform
win10v2004-20221111-en
Max time kernel
90s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
Network
| Country | Destination | Domain | Proto |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/4252-132-0x0000000000000000-mapping.dmp
memory/4956-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\priv.key
| MD5 | 3d41ef8aa13d752f03bfd9747db8bded |
| SHA1 | b987cccb178c02dbd4a8247c30cc30cc351a93a5 |
| SHA256 | ae770527f8cefdbe9cacdc1367cccee971feeb768783b9f28808b9fc7ca4b7c8 |
| SHA512 | 7dd6a15609a457ce95b2d1c2d38e2503c6dcba638e0e1f98a32aad6347f203e68422fd1d8daee0416ae5076c738b33538e13f4f7cb235f63adbcdf3a80c12c30 |
memory/4928-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
| MD5 | 556a34d4a8255f886f4beccab999d625 |
| SHA1 | acf46cc211973915ca699666c0b9a838a18484d2 |
| SHA256 | 293f6608b961c7ce11d067ff7b9d8886538a4029d97a736c620437aa3a980dfb |
| SHA512 | 5a34596b4ce583d609b5b65f80f93b340157cd0d9cdc97264a7c19aa867d3587f4aedab01791bd78cdc893d0ad39afe144b84d3b28bdb3df220b8df56c751e07 |
memory/4868-137-0x0000000000000000-mapping.dmp
memory/5056-138-0x0000000000000000-mapping.dmp
memory/1048-139-0x0000000000000000-mapping.dmp
memory/3284-140-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-12-29 09:55
Reported
2022-12-29 09:58
Platform
win7-20221111-en
Max time kernel
32s
Max time network
34s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
Files
memory/1124-54-0x00000000763A1000-0x00000000763A3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-12-29 09:55
Reported
2022-12-29 09:58
Platform
win10v2004-20220812-en
Max time kernel
64s
Max time network
144s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.168.117.170:443 | tcp |