blackmatter | 73361db30960d95bf9e4ad4ea2f0585fd4d3e81fa9b5d5e8441f84947e610748

General

Target

Lockbit3.Builder.Malware.rar
Size

168KB
MD5

c9d4d90dfb45736666cb5e1e01c4b29f
SHA1

edd35479b1d1ebaabd42e0c596cf3596c2078a87
SHA256

73361db30960d95bf9e4ad4ea2f0585fd4d3e81fa9b5d5e8441f84947e610748
SHA512

53d04da780ec3af1bf4963de5df07f82d5fa9d77337b0d2d41c809c55c91c0a1547678dc591391abd4525122f3ebd1b85df1533d50c56c325c94e80503af6a04
SSDEEP

3072:7NYcIVnrfkcvrXFG1o3QQpC1SxQtrN7qsXQZU8ihgd33fG+j3jQfdjEGaN0Wynf0:7AVnjPvh2yQQ8pt2U8ihQ3++j38fd5h8

Score

10^/10

blackmatter lockbit discovery ransomware

Malware Config

Extracted

Family

blackmatter

Version

65.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Blackmatter family
blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb4-13.dat	family_lockbit

Executes dropped EXE 9 IoCs

pid	Process
2020	keygen.exe
2016	builder.exe
5028	builder.exe
388	builder.exe
1792	builder.exe
5020	builder.exe
3640	builder.exe
1396	builder.exe
3532	keygen.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1864	7zFM.exe
Token: 35	1864	7zFM.exe
Token: SeSecurityPrivilege	1864	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1864	7zFM.exe
1864	7zFM.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2020	1296	cmd.exe	90
PID 1296 wrote to memory of 2020	1296	cmd.exe	90
PID 1296 wrote to memory of 2020	1296	cmd.exe	90
PID 1296 wrote to memory of 2016	1296	cmd.exe	91
PID 1296 wrote to memory of 2016	1296	cmd.exe	91
PID 1296 wrote to memory of 2016	1296	cmd.exe	91
PID 1296 wrote to memory of 5028	1296	cmd.exe	92
PID 1296 wrote to memory of 5028	1296	cmd.exe	92
PID 1296 wrote to memory of 5028	1296	cmd.exe	92
PID 1296 wrote to memory of 388	1296	cmd.exe	93
PID 1296 wrote to memory of 388	1296	cmd.exe	93
PID 1296 wrote to memory of 388	1296	cmd.exe	93
PID 1296 wrote to memory of 1792	1296	cmd.exe	94
PID 1296 wrote to memory of 1792	1296	cmd.exe	94
PID 1296 wrote to memory of 1792	1296	cmd.exe	94
PID 1296 wrote to memory of 5020	1296	cmd.exe	95
PID 1296 wrote to memory of 5020	1296	cmd.exe	95
PID 1296 wrote to memory of 5020	1296	cmd.exe	95
PID 1296 wrote to memory of 3640	1296	cmd.exe	96
PID 1296 wrote to memory of 3640	1296	cmd.exe	96
PID 1296 wrote to memory of 3640	1296	cmd.exe	96

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lockbit3.Builder.Malware.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lockbit 3 Builder\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\Desktop\Lockbit 3 Builder\keygen.exe
  keygen -path C:\Users\Admin\Desktop\Lockbit 3 Builder\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
  builder -type dec -privkey C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Lockbit 3 Builder\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:3640

C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe
"C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396

C:\Users\Admin\Desktop\Lockbit 3 Builder\keygen.exe
"C:\Users\Admin\Desktop\Lockbit 3 Builder\keygen.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Lockbit 3 Builder\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\Desktop\Lockbit 3 Builder\builder.exe

Filesize
470KB

MD5
8c689dc9e82c9356b990d2b67b4943e1

SHA1
6bdc415b9c356bbeaea75c7336cd72910b95a644

SHA256
e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef

SHA512
fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4

Download Submit
C:\Users\Admin\Desktop\Lockbit 3 Builder\keygen.exe

Filesize
31KB

MD5
5e28c7c900e4dce08366051c22f07f84

SHA1
ec03fd1551d31486e2f925d9c2db3b87ffcd7018

SHA256
bb76f4d10ec2c1d24be904d2ee078f34a6b5bd11f3b40f295e116fea44824b89

SHA512
fb45d7466d8a979ca78202be20175585e8d560a4cfcc81d3ef15edeb2d292cb5a05cdb93718cef685f1c8ee94cabf6c35ff010785d774057d045ba7b8a478a1e

Download Submit

Analysis

Sharing