Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
360s -
max time network
323s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
01/02/2025, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
LockBit30.7z
Resource
win10ltsc2021-20250128-en
General
-
Target
LockBit30.7z
-
Size
144KB
-
MD5
ecad36ec22515adac1190a6a46c78fb7
-
SHA1
4f3507c3432a86df0d8eb02ea71eb1a884860724
-
SHA256
1d6561c4714fadf16bcfb244a5444a959a953424d8e2c6acca6ccb2e20117e74
-
SHA512
2b3edcde3bf96aaf7869d64226ee1bc97ee0956a52ff63bec9309d9916504298c24eb843901c334f76b1713996a7cd74676ddf3b24e633f8981cb5031a60dd12
-
SSDEEP
3072:2rpwUBhAR0Kz0TO+/nB6thtGnp0gNxQ/XvE12AldjEr:2rWiuaKQ1a+p0gNxcXHgu
Malware Config
Extracted
blackmatter
25.239
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blackmatter family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000027cb7-13.dat family_lockbit -
Executes dropped EXE 14 IoCs
pid Process 3696 keygen.exe 4908 builder.exe 4496 builder.exe 928 builder.exe 1144 builder.exe 2064 builder.exe 1536 builder.exe 4324 keygen.exe 1252 builder.exe 2052 keygen.exe 4224 keygen.exe 324 keygen.exe 560 keygen.exe 3760 builder.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3752 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3752 7zFM.exe Token: 35 3752 7zFM.exe Token: 33 3180 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3180 AUDIODG.EXE Token: SeSecurityPrivilege 3752 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3752 7zFM.exe 552 osk.exe 3752 7zFM.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe 552 osk.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3696 1064 cmd.exe 99 PID 1064 wrote to memory of 3696 1064 cmd.exe 99 PID 1064 wrote to memory of 3696 1064 cmd.exe 99 PID 1064 wrote to memory of 4908 1064 cmd.exe 100 PID 1064 wrote to memory of 4908 1064 cmd.exe 100 PID 1064 wrote to memory of 4908 1064 cmd.exe 100 PID 1064 wrote to memory of 4496 1064 cmd.exe 101 PID 1064 wrote to memory of 4496 1064 cmd.exe 101 PID 1064 wrote to memory of 4496 1064 cmd.exe 101 PID 1064 wrote to memory of 928 1064 cmd.exe 102 PID 1064 wrote to memory of 928 1064 cmd.exe 102 PID 1064 wrote to memory of 928 1064 cmd.exe 102 PID 1064 wrote to memory of 1144 1064 cmd.exe 103 PID 1064 wrote to memory of 1144 1064 cmd.exe 103 PID 1064 wrote to memory of 1144 1064 cmd.exe 103 PID 1064 wrote to memory of 2064 1064 cmd.exe 104 PID 1064 wrote to memory of 2064 1064 cmd.exe 104 PID 1064 wrote to memory of 2064 1064 cmd.exe 104 PID 1064 wrote to memory of 1536 1064 cmd.exe 105 PID 1064 wrote to memory of 1536 1064 cmd.exe 105 PID 1064 wrote to memory of 1536 1064 cmd.exe 105
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit30.7z"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3752
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:4808
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl,@1 ,1⤵PID:2424
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:552
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x500 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\Desktop\New folder\keygen.exekeygen -path C:\Users\Admin\Desktop\New folder\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Users\Admin\Desktop\New folder\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\New folder\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4908
-
-
C:\Users\Admin\Desktop\New folder\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3.exe2⤵
- Executes dropped EXE
PID:4496
-
-
C:\Users\Admin\Desktop\New folder\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:928
-
-
C:\Users\Admin\Desktop\New folder\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:1144
-
-
C:\Users\Admin\Desktop\New folder\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Users\Admin\Desktop\New folder\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:1536
-
-
C:\Users\Admin\Desktop\New folder\keygen.exe"C:\Users\Admin\Desktop\New folder\keygen.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324
-
C:\Users\Admin\Desktop\New folder\builder.exe"C:\Users\Admin\Desktop\New folder\builder.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252
-
C:\Users\Admin\Desktop\New folder\keygen.exe"C:\Users\Admin\Desktop\New folder\keygen.exe"1⤵
- Executes dropped EXE
PID:2052
-
C:\Users\Admin\Desktop\New folder\keygen.exe"C:\Users\Admin\Desktop\New folder\keygen.exe"1⤵
- Executes dropped EXE
PID:4224
-
C:\Users\Admin\Desktop\New folder\keygen.exe"C:\Users\Admin\Desktop\New folder\keygen.exe"1⤵
- Executes dropped EXE
PID:324
-
C:\Users\Admin\Desktop\New folder\keygen.exe"C:\Users\Admin\Desktop\New folder\keygen.exe"1⤵
- Executes dropped EXE
PID:560
-
C:\Users\Admin\Desktop\New folder\builder.exe"C:\Users\Admin\Desktop\New folder\builder.exe"1⤵
- Executes dropped EXE
PID:3760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741B
MD54e46e28b2e61643f6af70a8b19e5cb1f
SHA1804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA2568e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
-
Filesize
469KB
MD5c2bc344f6dde0573ea9acdfb6698bf4c
SHA1d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0
-
Filesize
31KB
MD571c3b2f765b04d0b7ea0328f6ce0c4e2
SHA1bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
SHA256ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
SHA5121923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035