Analysis Overview
SHA256
5280435bea53aa35b848742096bc700fce70b34b92becdedb6c50d60bc06164e
Threat Level: Known bad
The file LBLeak.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-03 17:24
Signatures
Blackmatter family
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-03 17:24
Reported
2024-09-03 17:25
Platform
win11-20240802-en
Max time kernel
16s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat"
C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\LBLeak\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
Files
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key
| MD5 | 876bb78260ef7e75c35388028e6564f2 |
| SHA1 | 14c3b2f58d7b2a1378be121bce78e9f2f92920ff |
| SHA256 | 8d0a68814d8c4ed4ba485dc3295396f8e33414d3da5ab33062c6329bb0d6f5ba |
| SHA512 | ca17bad96c4fa52b110de5429df4f786696fc94b11df17a29e2bf1033e4a64ce16790e2b3077b850e1e91f9b5a2a80d2081c67b579adce885b15d93eb6f1f934 |
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key
| MD5 | cfdae327b3c974e5f5cacb1a2ee40b4c |
| SHA1 | 91f2a8e8c0003e59d976fc856b9bb59674ddcdef |
| SHA256 | 8f8defc48f875a6e34f60ce2f84ec4b390f9673331f71f211702a5cc21ed87f9 |
| SHA512 | 2e4378eed9eeaab115e4898d9169b50f49514773bffeb309b8ff7f0ca03b4c3f6084d25ccc40ede44199edb3679d3669a8ae927ebdf0fa1de004794123290a3b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-03 17:24
Reported
2024-09-03 17:25
Platform
win11-20240802-en
Max time kernel
0s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
"C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-03 17:24
Reported
2024-09-03 17:25
Platform
win11-20240802-en
Max time kernel
1s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-03 17:24
Reported
2024-09-03 17:25
Platform
win11-20240802-en
Max time kernel
1s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe"