blackmatter | 4dfa2dcbcfe39550255fcf5daaa4ee3b74e7ea3a32666c91c100fb6b8508544b

Resubmissions

11-03-2024 18:04

240311-wnnwgscb67 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-V3.zip
Size

293KB
MD5

f35c9e87f63d3f8d4db5b1a01a14e464
SHA1

7fd87ed64dbb2780b5deccc0a9d138b3b9402e8b
SHA256

4dfa2dcbcfe39550255fcf5daaa4ee3b74e7ea3a32666c91c100fb6b8508544b
SHA512

04d8f57d6a592d30b3af8ee96ed2480a2b594b25a37b500613a06aee994705045140ed6f4152c97f17e935122003d45d6ae64fad668a08cf7e6438f48e3167e3
SSDEEP

6144:50gWKhB5TA1yAmI28MqQoZNTelXsxRw5Bp0i49h/t1uDcMxDM074:50gWw5rA08MLCeG/i49JEcUE

Score

10^/10

blackmatter lockbit ransomware

Malware Config

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000001dab3-18.dat	family_lockbit

Executes dropped EXE 7 IoCs

pid	Process
4564	keygen.exe
1548	builder.exe
2584	builder.exe
4972	builder.exe
1420	builder.exe
1200	builder.exe
2676	builder.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4004	7zG.exe
Token: 35	4004	7zG.exe
Token: SeSecurityPrivilege	4004	7zG.exe
Token: SeSecurityPrivilege	4004	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4004	7zG.exe
2640	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4564	3728	cmd.exe	115
PID 3728 wrote to memory of 4564	3728	cmd.exe	115
PID 3728 wrote to memory of 4564	3728	cmd.exe	115
PID 3728 wrote to memory of 1548	3728	cmd.exe	116
PID 3728 wrote to memory of 1548	3728	cmd.exe	116
PID 3728 wrote to memory of 1548	3728	cmd.exe	116
PID 3728 wrote to memory of 2584	3728	cmd.exe	117
PID 3728 wrote to memory of 2584	3728	cmd.exe	117
PID 3728 wrote to memory of 2584	3728	cmd.exe	117
PID 3728 wrote to memory of 4972	3728	cmd.exe	118
PID 3728 wrote to memory of 4972	3728	cmd.exe	118
PID 3728 wrote to memory of 4972	3728	cmd.exe	118
PID 3728 wrote to memory of 1420	3728	cmd.exe	119
PID 3728 wrote to memory of 1420	3728	cmd.exe	119
PID 3728 wrote to memory of 1420	3728	cmd.exe	119
PID 3728 wrote to memory of 1200	3728	cmd.exe	120
PID 3728 wrote to memory of 1200	3728	cmd.exe	120
PID 3728 wrote to memory of 1200	3728	cmd.exe	120
PID 3728 wrote to memory of 2676	3728	cmd.exe	121
PID 3728 wrote to memory of 2676	3728	cmd.exe	121
PID 3728 wrote to memory of 2676	3728	cmd.exe	121

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip
1⤵
PID:4520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\LockBit-V3\" -spe -an -ai#7zMap13653:100:7zEvent12474
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4004

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build.bat
1⤵
- Suspicious use of FindShellTrayWindow
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:2676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build\Password_exe.txt
1⤵
PID:2368

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build\Password_dll.txt
1⤵
PID:320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-V3\macro.vbs"
1⤵
PID:4764

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\LockBit-V3\macro.vbs
1⤵
PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build.bat

Filesize
1KB

MD5
b8f24efd1d30aac9d360db90c8717aee

SHA1
7d31372560f81ea24db57bb18d56143251a8b266

SHA256
95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed

SHA512
14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build\Password_dll.txt

Filesize
1KB

MD5
b86f68d81a4c6465525e2c8014c419c0

SHA1
80f599c7759ef7222b99eaae4c991fc2cb0b994d

SHA256
72ff017ecadb75660582f27f7b50611f6ca0273d9d59dafce800736c1a24114e

SHA512
433678c487e8695aa20f70251304dcd6d48860168e3525f1b677bf47e65684167fe7b44751c9f626dd178feef8e268d30b956261e52939bef0da8099c0ec9932

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build\Password_exe.txt

Filesize
2KB

MD5
7770c8f46dbfe606f7b8b3a13065c9b2

SHA1
dbbc7e0148d9874a607030dc08e22e8718bd5b4c

SHA256
54a01b24ea2ee67ed04c642837403722d9c14d19351c8de3931818a1110ed819

SHA512
82445a01195039315ea444fede15e25c72e8f3ce22921b6dd616794eff757e409f6229794bf9f35270a7f3f9ee15005973a707ec95b055579852c331027acb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build\priv.key

Filesize
344B

MD5
af291d6117761f6630cc854fd11f3754

SHA1
ba1cd66c57ffc6b19d119035b513dcf4a1fdac1c

SHA256
3a33f0a4a4c98516bbc217ced3ea2ef911e68ba7b0fa229e1e61e44b8da2bdac

SHA512
13c770640fc4188df667968ed24c52a7ab927ccd06be06cc1535f65ae508b88333a382c49d4c5729d23f1c7dd1b9cb4477995c3551e22e1c90d780fd4e22eaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build\pub.key

Filesize
344B

MD5
2b3fd2e443f867fa4b2b4827966a3c89

SHA1
9c68000941bf0c5e4431bf85b1036648722946b1

SHA256
fe43912d9d76a9e8d95c599c9e2c972f7cb3c6cdc11438ba09716f24ec9c0b42

SHA512
e51147ef0fd000409c8e9ebd52b11e3b8e931e94e335797e46e67a0a60ff316645312f534856028499db954ee6889c4315124549b2ecacaac265d2e767f81b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\config.json

Filesize
8KB

MD5
de177fa08e9b2eaa378760afd53be6b2

SHA1
a18050f9e5f2412955df4b868ffb866209d2b84a

SHA256
d121f4293160e0a39cbb184c032cd45baf1372db00cd33afb0e166ac0a60ac4c

SHA512
44f4e745013eaa7d95486c91457c23fd9694f859920766f0139cf5ca9c84ff6c82d59be9675dd1a0c7b3216464c85cf732dbbdb0e641a5e47cbbf1830f4a0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\macro.vbs

Filesize
407B

MD5
cf9c8e2a027b88086e591715ec8eb0a9

SHA1
cfb21043e3c4f9bc71a262df168a37f057ea1aa3

SHA256
42b8b8219f63345f6a3818ebd02cb394903c02b0f922636bb876831c0a06984b

SHA512
5091494e23a8a95cbd6987417430d55a12e50ba2e175ac3e0765927b0f44f5656bd4fe3a3f11d63d455e4013461a324e25a06a4ca328dfbc8a9fba48b597b295

Download Submit