Overview

overview

10

Static

static

10

LockBit3 R...re.rar

windows7-x64

3

LockBit3 R...re.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LockBit3 RansomWare.rar

  • Size

    158KB

  • MD5

    348a1ec2197db2ed8fd1034fc2ed5282

  • SHA1

    e32bbdef3415a59ffbbd53648071c67404d26a7e

  • SHA256

    38a71ff442d943f02a32b4e909a7359b003d6c5872cc5f5dfa470fb0ece3d976

  • SHA512

    6762a5c1500afd0b4ac57b6005c2326d1e7ba16118a4d2a537fa847dd856ae079b83c58550e40718ef0fbc8e864e65a0eb95fb0bd6d5eb1b6b40c73a1f5b153a

  • SSDEEP

    3072:DZdYx2XkOVpXxWzyutmYS1SzeAhITgt3JpNjIB9rvzcsEK626ZLN3M:DfM23hoBS15AiTgtf9ervYT926ZL+

Score
10/10
blackmatterlockbitransomware

Malware Config

Extracted

Family

blackmatter

Version

65.239

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Executes dropped EXE 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit3 RansomWare.rar"
    1⤵
    • Modifies registry class
    PID:2332
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3624
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:348
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap12593:96:7zEvent21466
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3408
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exe
        keygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key
        2⤵
        • Executes dropped EXE
        PID:4300
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type dec -privkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3Decryptor.exe
        2⤵
        • Executes dropped EXE
        PID:3004
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3.exe
        2⤵
        • Executes dropped EXE
        PID:4372
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_pass.exe
        2⤵
        • Executes dropped EXE
        PID:1628
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32.dll
        2⤵
        • Executes dropped EXE
        PID:3784
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32_pass.dll
        2⤵
        • Executes dropped EXE
        PID:452
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_ReflectiveDll_DllMain.dll
        2⤵
        • Executes dropped EXE
        PID:1212
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exe
        keygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key
        2⤵
        • Executes dropped EXE
        PID:836
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type dec -privkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3Decryptor.exe
        2⤵
        • Executes dropped EXE
        PID:4672
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3.exe
        2⤵
        • Executes dropped EXE
        PID:3960
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_pass.exe
        2⤵
        • Executes dropped EXE
        PID:3324
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32.dll
        2⤵
        • Executes dropped EXE
        PID:4332
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32_pass.dll
        2⤵
        • Executes dropped EXE
        PID:3744
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_ReflectiveDll_DllMain.dll
        2⤵
        • Executes dropped EXE
        PID:4188
    • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
      "C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe"
      1⤵
      • Executes dropped EXE
      PID:4964
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exe
        keygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key
        2⤵
        • Executes dropped EXE
        PID:3504
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type dec -privkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3Decryptor.exe
        2⤵
        • Executes dropped EXE
        PID:1664
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3.exe
        2⤵
        • Executes dropped EXE
        PID:1768
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_pass.exe
        2⤵
        • Executes dropped EXE
        PID:4796
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32.dll
        2⤵
        • Executes dropped EXE
        PID:5016
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32_pass.dll
        2⤵
        • Executes dropped EXE
        PID:2296
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_ReflectiveDll_DllMain.dll
        2⤵
        • Executes dropped EXE
        PID:3248
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exe
        keygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key
        2⤵
        • Executes dropped EXE
        PID:2004
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3RansomWare\Build.bat" "
      1⤵
        PID:3436
        • C:\Users\Admin\Desktop\LockBit3RansomWare\keygen.exe
          keygen -path C:\Users\Admin\Desktop\LockBit3RansomWare\Build -pubkey pub.key -privkey priv.key
          2⤵
          • Executes dropped EXE
          PID:4928
        • C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exe
          builder -type dec -privkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3Decryptor.exe
          2⤵
          • Executes dropped EXE
          PID:992
        • C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exe
          builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3.exe
          2⤵
          • Executes dropped EXE
          PID:1120
        • C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exe
          builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_pass.exe
          2⤵
          • Executes dropped EXE
          PID:2120
        • C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exe
          builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_Rundll32.dll
          2⤵
          • Executes dropped EXE
          PID:3884
        • C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exe
          builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_Rundll32_pass.dll
          2⤵
          • Executes dropped EXE
          PID:1344
        • C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exe
          builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_ReflectiveDll_DllMain.dll
          2⤵
          • Executes dropped EXE
          PID:4348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat
        Filesize

        741B

        MD5

        4e46e28b2e61643f6af70a8b19e5cb1f

        SHA1

        804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

        SHA256

        8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

        SHA512

        009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

        Download Submit

      • C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe
        Filesize

        470KB

        MD5

        8c689dc9e82c9356b990d2b67b4943e1

        SHA1

        6bdc415b9c356bbeaea75c7336cd72910b95a644

        SHA256

        e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef

        SHA512

        fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4

        Download Submit

      • C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exe
        Filesize

        31KB

        MD5

        5e28c7c900e4dce08366051c22f07f84

        SHA1

        ec03fd1551d31486e2f925d9c2db3b87ffcd7018

        SHA256

        bb76f4d10ec2c1d24be904d2ee078f34a6b5bd11f3b40f295e116fea44824b89

        SHA512

        fb45d7466d8a979ca78202be20175585e8d560a4cfcc81d3ef15edeb2d292cb5a05cdb93718cef685f1c8ee94cabf6c35ff010785d774057d045ba7b8a478a1e

        Download Submit

      • C:\Users\Admin\Desktop\LockBit3RansomWare\Build\priv.key
        Filesize

        344B

        MD5

        19740ea0b2c32f124a594d9f1ff1270e

        SHA1

        64565aa93636911df2fcc04a898a7bded9ba7610

        SHA256

        a3bc440ce488669a47b1b6aec7d1fd4ee7785bebbce9d114ff2e586a17d791ea

        SHA512

        c232eb55f7ad97fe09ca7834d4a2644e00cec9e8f22c642afda1c4bdb1ce512dd641766fd51825917e4d01051c9aaa8acbac8f0fc868f462f0ca42000bac0cdb

        Download Submit

      • C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key
        Filesize

        344B

        MD5

        5c02a37bb591b39a59b85c74079a99b8

        SHA1

        afabb806e7972acda2019994f3af30e8d95ec755

        SHA256

        67cda1929953da7ef45a17e926b5e33298f12170a8d1afdaa359c4a41a6696dc

        SHA512

        0e4f3d5e1035a2bfb0d9834048a253b53751e7af536799241f46ca07d86c0184ab06b8c415b6996e4924ad598adb76b4fd3e2027c6b2405e9ae0a8fa77ed9cf6

        Download Submit

      • C:\Users\Admin\Desktop\LockBit3RansomWare\config.json
        Filesize

        8KB

        MD5

        a6ba7b662de10b45ebe5b6b7edaa62a9

        SHA1

        f3ed67bdaef070cd5a213b89d53c5b8022d6f266

        SHA256

        3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

        SHA512

        7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

        Download Submit