Analysis Overview
SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
Threat Level: Known bad
The file builder.exe was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 15:43
Signatures
Blackmatter family
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 15:43
Reported
2024-08-04 15:46
Platform
win10v2004-20240802-en
Max time kernel
97s
Max time network
149s
Command Line
Signatures
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3420 wrote to memory of 2244 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 3420 wrote to memory of 2244 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 3420 wrote to memory of 2244 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 2244 wrote to memory of 2300 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
| PID 2244 wrote to memory of 2300 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\PingDisconnect.vbs"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3420 -ip 3420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 3004
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 5433eab10c6b5c6d55b7cbd302426a39 |
| SHA1 | c5b1604b3350dab290d081eecd5389a895c58de5 |
| SHA256 | 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131 |
| SHA512 | 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 563088ad0f20fabf9dd62c6ba8ae1636 |
| SHA1 | f9cd2fd153afa1a12ff990cf27c32b8c9c44e878 |
| SHA256 | eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184 |
| SHA512 | 8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092 |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 34b65f0cd5b6c18572e2c6c0828cd075 |
| SHA1 | 43dd7b68369c2461f1ddc781946d97f2e94cf9c2 |
| SHA256 | 1c311e23174c572ac32a4153b78d9f9191514144e7339768eb253d1fd02d4367 |
| SHA512 | 373242e9c4c28dd0f50bf4fc24dc151ac799eb6b1c6271abd9b8285b108846b7b9b7c73c82ea8c258893394eeebee60c549397f051e1dd88d6b7cee864856d57 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/3420-36-0x0000000006C70000-0x0000000006C80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 554d9fb3323d96f925c735560bfa8d4f |
| SHA1 | f4c17747678c3de59355f8831f9ef6b21465f349 |
| SHA256 | c36572ed24978498b672648b74efb4c2136058ac3a2be3496d693874cb3071c1 |
| SHA512 | 97bd35ac0c5a625a5d2aee0cbaa15f5cf8ded8f8da4597e6fdd9960b29fec917caa21f64880fc99d2004f0460d9142dcebfb1df1f9b236ff704a148aa882a162 |
memory/3420-42-0x0000000006C70000-0x0000000006C80000-memory.dmp
memory/3420-41-0x0000000006C70000-0x0000000006C80000-memory.dmp
memory/3420-40-0x0000000006C70000-0x0000000006C80000-memory.dmp
memory/3420-39-0x0000000006C70000-0x0000000006C80000-memory.dmp
memory/3420-38-0x0000000006C70000-0x0000000006C80000-memory.dmp
memory/3420-43-0x0000000006C70000-0x0000000006C80000-memory.dmp
memory/3420-44-0x0000000006C70000-0x0000000006C80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | acb9a5ba3f3d7494b55cf5e91c529517 |
| SHA1 | 861eaa71c33423da3504ec739dbd43d68e170bab |
| SHA256 | 6a1ae69c7edbe0eefec17727731b7df7d1b2c9774cf0ae020e0d0b84efce51cc |
| SHA512 | 20f9219ea98a4705a8bb26755bb7d2aefcf995c60f91fe47fde885c4009f89a876b7d1f9a1385797f4c83bae55ff3beacd812bdbd26ae1e834ec464284342524 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | 6524f37434ff18372476ecf2a45af4f2 |
| SHA1 | 088bf05df9d79fe844ffaf1ef3c1e1504c6f5996 |
| SHA256 | e150bd46dfc03774fd1915e24b00da651544ec79c22c506217e86b00c91757b1 |
| SHA512 | e4c3ad9568f342ab8a272601c9790a8447a47fda3d13dd744897b04e036d11392ff71394336d6bded130cf5a645aca7bf4bf87170e8e12b694e573802383bb7d |