Malware Analysis Report

2024-10-16 03:21

Sample ID 240903-vy4t1ssakp
Target LBLeak.zip
SHA256 5280435bea53aa35b848742096bc700fce70b34b92becdedb6c50d60bc06164e
Tags
lockbit blackmatter discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5280435bea53aa35b848742096bc700fce70b34b92becdedb6c50d60bc06164e

Threat Level: Known bad

The file LBLeak.zip was found to be: Known bad.

Malicious Activity Summary

lockbit blackmatter discovery

Blackmatter family

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-03 17:24

Signatures

Blackmatter family

blackmatter

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-03 17:24

Reported

2024-09-03 17:25

Platform

win11-20240802-en

Max time kernel

16s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
PID 4608 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
PID 4608 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
PID 4608 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4608 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat"

C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\LBLeak\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key

MD5 876bb78260ef7e75c35388028e6564f2
SHA1 14c3b2f58d7b2a1378be121bce78e9f2f92920ff
SHA256 8d0a68814d8c4ed4ba485dc3295396f8e33414d3da5ab33062c6329bb0d6f5ba
SHA512 ca17bad96c4fa52b110de5429df4f786696fc94b11df17a29e2bf1033e4a64ce16790e2b3077b850e1e91f9b5a2a80d2081c67b579adce885b15d93eb6f1f934

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key

MD5 cfdae327b3c974e5f5cacb1a2ee40b4c
SHA1 91f2a8e8c0003e59d976fc856b9bb59674ddcdef
SHA256 8f8defc48f875a6e34f60ce2f84ec4b390f9673331f71f211702a5cc21ed87f9
SHA512 2e4378eed9eeaab115e4898d9169b50f49514773bffeb309b8ff7f0ca03b4c3f6084d25ccc40ede44199edb3679d3669a8ae927ebdf0fa1de004794123290a3b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-03 17:24

Reported

2024-09-03 17:25

Platform

win11-20240802-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

"C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-03 17:24

Reported

2024-09-03 17:25

Platform

win11-20240802-en

Max time kernel

1s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-03 17:24

Reported

2024-09-03 17:25

Platform

win11-20240802-en

Max time kernel

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe"

Network

N/A

Files

N/A