Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 19:32
Behavioral task
behavioral1
Sample
LockBit3 RansomWare.rar
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
LockBit3 RansomWare.rar
Resource
win10v2004-20240704-en
General
-
Target
LockBit3 RansomWare.rar
-
Size
158KB
-
MD5
348a1ec2197db2ed8fd1034fc2ed5282
-
SHA1
e32bbdef3415a59ffbbd53648071c67404d26a7e
-
SHA256
38a71ff442d943f02a32b4e909a7359b003d6c5872cc5f5dfa470fb0ece3d976
-
SHA512
6762a5c1500afd0b4ac57b6005c2326d1e7ba16118a4d2a537fa847dd856ae079b83c58550e40718ef0fbc8e864e65a0eb95fb0bd6d5eb1b6b40c73a1f5b153a
-
SSDEEP
3072:DZdYx2XkOVpXxWzyutmYS1SzeAhITgt3JpNjIB9rvzcsEK626ZLN3M:DfM23hoBS15AiTgtf9ervYT926ZL+
Malware Config
Extracted
blackmatter
65.239
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023434-13.dat family_lockbit -
Executes dropped EXE 30 IoCs
pid Process 4300 keygen.exe 3004 builder.exe 4372 builder.exe 1628 builder.exe 3784 builder.exe 452 builder.exe 1212 builder.exe 836 keygen.exe 4672 builder.exe 3960 builder.exe 3324 builder.exe 4332 builder.exe 3744 builder.exe 4188 builder.exe 4964 builder.exe 3504 keygen.exe 1664 builder.exe 1768 builder.exe 4796 builder.exe 5016 builder.exe 2296 builder.exe 3248 builder.exe 2004 keygen.exe 4928 keygen.exe 992 builder.exe 1120 builder.exe 2120 builder.exe 3884 builder.exe 1344 builder.exe 4348 builder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 3408 7zG.exe Token: 35 3408 7zG.exe Token: SeSecurityPrivilege 3408 7zG.exe Token: SeSecurityPrivilege 3408 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3408 7zG.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3624 OpenWith.exe 3624 OpenWith.exe 3624 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 4300 64 cmd.exe 98 PID 64 wrote to memory of 4300 64 cmd.exe 98 PID 64 wrote to memory of 4300 64 cmd.exe 98 PID 64 wrote to memory of 3004 64 cmd.exe 99 PID 64 wrote to memory of 3004 64 cmd.exe 99 PID 64 wrote to memory of 3004 64 cmd.exe 99 PID 64 wrote to memory of 4372 64 cmd.exe 100 PID 64 wrote to memory of 4372 64 cmd.exe 100 PID 64 wrote to memory of 4372 64 cmd.exe 100 PID 64 wrote to memory of 1628 64 cmd.exe 101 PID 64 wrote to memory of 1628 64 cmd.exe 101 PID 64 wrote to memory of 1628 64 cmd.exe 101 PID 64 wrote to memory of 3784 64 cmd.exe 102 PID 64 wrote to memory of 3784 64 cmd.exe 102 PID 64 wrote to memory of 3784 64 cmd.exe 102 PID 64 wrote to memory of 452 64 cmd.exe 103 PID 64 wrote to memory of 452 64 cmd.exe 103 PID 64 wrote to memory of 452 64 cmd.exe 103 PID 64 wrote to memory of 1212 64 cmd.exe 104 PID 64 wrote to memory of 1212 64 cmd.exe 104 PID 64 wrote to memory of 1212 64 cmd.exe 104 PID 3092 wrote to memory of 836 3092 cmd.exe 107 PID 3092 wrote to memory of 836 3092 cmd.exe 107 PID 3092 wrote to memory of 836 3092 cmd.exe 107 PID 3092 wrote to memory of 4672 3092 cmd.exe 108 PID 3092 wrote to memory of 4672 3092 cmd.exe 108 PID 3092 wrote to memory of 4672 3092 cmd.exe 108 PID 3092 wrote to memory of 3960 3092 cmd.exe 109 PID 3092 wrote to memory of 3960 3092 cmd.exe 109 PID 3092 wrote to memory of 3960 3092 cmd.exe 109 PID 3092 wrote to memory of 3324 3092 cmd.exe 110 PID 3092 wrote to memory of 3324 3092 cmd.exe 110 PID 3092 wrote to memory of 3324 3092 cmd.exe 110 PID 3092 wrote to memory of 4332 3092 cmd.exe 111 PID 3092 wrote to memory of 4332 3092 cmd.exe 111 PID 3092 wrote to memory of 4332 3092 cmd.exe 111 PID 3092 wrote to memory of 3744 3092 cmd.exe 112 PID 3092 wrote to memory of 3744 3092 cmd.exe 112 PID 3092 wrote to memory of 3744 3092 cmd.exe 112 PID 3092 wrote to memory of 4188 3092 cmd.exe 113 PID 3092 wrote to memory of 4188 3092 cmd.exe 113 PID 3092 wrote to memory of 4188 3092 cmd.exe 113 PID 3556 wrote to memory of 3504 3556 cmd.exe 117 PID 3556 wrote to memory of 3504 3556 cmd.exe 117 PID 3556 wrote to memory of 3504 3556 cmd.exe 117 PID 3556 wrote to memory of 1664 3556 cmd.exe 118 PID 3556 wrote to memory of 1664 3556 cmd.exe 118 PID 3556 wrote to memory of 1664 3556 cmd.exe 118 PID 3556 wrote to memory of 1768 3556 cmd.exe 119 PID 3556 wrote to memory of 1768 3556 cmd.exe 119 PID 3556 wrote to memory of 1768 3556 cmd.exe 119 PID 3556 wrote to memory of 4796 3556 cmd.exe 120 PID 3556 wrote to memory of 4796 3556 cmd.exe 120 PID 3556 wrote to memory of 4796 3556 cmd.exe 120 PID 3556 wrote to memory of 5016 3556 cmd.exe 121 PID 3556 wrote to memory of 5016 3556 cmd.exe 121 PID 3556 wrote to memory of 5016 3556 cmd.exe 121 PID 3556 wrote to memory of 2296 3556 cmd.exe 122 PID 3556 wrote to memory of 2296 3556 cmd.exe 122 PID 3556 wrote to memory of 2296 3556 cmd.exe 122 PID 3556 wrote to memory of 3248 3556 cmd.exe 123 PID 3556 wrote to memory of 3248 3556 cmd.exe 123 PID 3556 wrote to memory of 3248 3556 cmd.exe 123 PID 1804 wrote to memory of 2004 1804 cmd.exe 126
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\LockBit3 RansomWare.rar"1⤵
- Modifies registry class
PID:2332
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3624
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:348
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap12593:96:7zEvent214661⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exekeygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:4300
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3.exe2⤵
- Executes dropped EXE
PID:4372
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:452
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exekeygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:836
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3.exe2⤵
- Executes dropped EXE
PID:3960
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:3324
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:4332
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:4188
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe"C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exe"1⤵
- Executes dropped EXE
PID:4964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exekeygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:3504
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3.exe2⤵
- Executes dropped EXE
PID:1768
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:4796
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:5016
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:2296
-
-
C:\Users\Admin\Desktop\LockBit3 RansomWare\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3 RansomWare\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3 RansomWare\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\Desktop\LockBit3 RansomWare\keygen.exekeygen -path C:\Users\Admin\Desktop\LockBit3 RansomWare\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:2004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit3RansomWare\Build.bat" "1⤵PID:3436
-
C:\Users\Admin\Desktop\LockBit3RansomWare\keygen.exekeygen -path C:\Users\Admin\Desktop\LockBit3RansomWare\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:992
-
-
C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3.exe2⤵
- Executes dropped EXE
PID:1120
-
-
C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:2120
-
-
C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:3884
-
-
C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:1344
-
-
C:\Users\Admin\Desktop\LockBit3RansomWare\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit3RansomWare\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit3RansomWare\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:4348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741B
MD54e46e28b2e61643f6af70a8b19e5cb1f
SHA1804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA2568e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
-
Filesize
470KB
MD58c689dc9e82c9356b990d2b67b4943e1
SHA16bdc415b9c356bbeaea75c7336cd72910b95a644
SHA256e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef
SHA512fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4
-
Filesize
31KB
MD55e28c7c900e4dce08366051c22f07f84
SHA1ec03fd1551d31486e2f925d9c2db3b87ffcd7018
SHA256bb76f4d10ec2c1d24be904d2ee078f34a6b5bd11f3b40f295e116fea44824b89
SHA512fb45d7466d8a979ca78202be20175585e8d560a4cfcc81d3ef15edeb2d292cb5a05cdb93718cef685f1c8ee94cabf6c35ff010785d774057d045ba7b8a478a1e
-
Filesize
344B
MD519740ea0b2c32f124a594d9f1ff1270e
SHA164565aa93636911df2fcc04a898a7bded9ba7610
SHA256a3bc440ce488669a47b1b6aec7d1fd4ee7785bebbce9d114ff2e586a17d791ea
SHA512c232eb55f7ad97fe09ca7834d4a2644e00cec9e8f22c642afda1c4bdb1ce512dd641766fd51825917e4d01051c9aaa8acbac8f0fc868f462f0ca42000bac0cdb
-
Filesize
344B
MD55c02a37bb591b39a59b85c74079a99b8
SHA1afabb806e7972acda2019994f3af30e8d95ec755
SHA25667cda1929953da7ef45a17e926b5e33298f12170a8d1afdaa359c4a41a6696dc
SHA5120e4f3d5e1035a2bfb0d9834048a253b53751e7af536799241f46ca07d86c0184ab06b8c415b6996e4924ad598adb76b4fd3e2027c6b2405e9ae0a8fa77ed9cf6
-
Filesize
8KB
MD5a6ba7b662de10b45ebe5b6b7edaa62a9
SHA1f3ed67bdaef070cd5a213b89d53c5b8022d6f266
SHA2563f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8
SHA5127fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1