Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

05/02/2025, 10:53

250205-mze82stkcs 1

01/02/2025, 17:51

250201-wfja2atkdy 10

Analysis

  • max time kernel
    360s
  • max time network
    323s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01/02/2025, 17:51

General

  • Target

    LockBit30.7z

  • Size

    144KB

  • MD5

    ecad36ec22515adac1190a6a46c78fb7

  • SHA1

    4f3507c3432a86df0d8eb02ea71eb1a884860724

  • SHA256

    1d6561c4714fadf16bcfb244a5444a959a953424d8e2c6acca6ccb2e20117e74

  • SHA512

    2b3edcde3bf96aaf7869d64226ee1bc97ee0956a52ff63bec9309d9916504298c24eb843901c334f76b1713996a7cd74676ddf3b24e633f8981cb5031a60dd12

  • SSDEEP

    3072:2rpwUBhAR0Kz0TO+/nB6thtGnp0gNxQ/XvE12AldjEr:2rWiuaKQ1a+p0gNxcXHgu

Malware Config

Extracted

Family

blackmatter

Version

25.239

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Blackmatter family
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Lockbit family
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit30.7z"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3752
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4808
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl,@1 ,
    1⤵
      PID:2424
    • C:\Windows\system32\osk.exe
      "C:\Windows\system32\osk.exe"
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:552
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x500 0x4e8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1584
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\Build.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Users\Admin\Desktop\New folder\keygen.exe
          keygen -path C:\Users\Admin\Desktop\New folder\Build -pubkey pub.key -privkey priv.key
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3696
        • C:\Users\Admin\Desktop\New folder\builder.exe
          builder -type dec -privkey C:\Users\Admin\Desktop\New folder\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3Decryptor.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4908
        • C:\Users\Admin\Desktop\New folder\builder.exe
          builder -type enc -exe -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3.exe
          2⤵
          • Executes dropped EXE
          PID:4496
        • C:\Users\Admin\Desktop\New folder\builder.exe
          builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_pass.exe
          2⤵
          • Executes dropped EXE
          PID:928
        • C:\Users\Admin\Desktop\New folder\builder.exe
          builder -type enc -dll -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_Rundll32.dll
          2⤵
          • Executes dropped EXE
          PID:1144
        • C:\Users\Admin\Desktop\New folder\builder.exe
          builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_Rundll32_pass.dll
          2⤵
          • Executes dropped EXE
          PID:2064
        • C:\Users\Admin\Desktop\New folder\builder.exe
          builder -type enc -ref -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_ReflectiveDll_DllMain.dll
          2⤵
          • Executes dropped EXE
          PID:1536
      • C:\Users\Admin\Desktop\New folder\keygen.exe
        "C:\Users\Admin\Desktop\New folder\keygen.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4324
      • C:\Users\Admin\Desktop\New folder\builder.exe
        "C:\Users\Admin\Desktop\New folder\builder.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1252
      • C:\Users\Admin\Desktop\New folder\keygen.exe
        "C:\Users\Admin\Desktop\New folder\keygen.exe"
        1⤵
        • Executes dropped EXE
        PID:2052
      • C:\Users\Admin\Desktop\New folder\keygen.exe
        "C:\Users\Admin\Desktop\New folder\keygen.exe"
        1⤵
        • Executes dropped EXE
        PID:4224
      • C:\Users\Admin\Desktop\New folder\keygen.exe
        "C:\Users\Admin\Desktop\New folder\keygen.exe"
        1⤵
        • Executes dropped EXE
        PID:324
      • C:\Users\Admin\Desktop\New folder\keygen.exe
        "C:\Users\Admin\Desktop\New folder\keygen.exe"
        1⤵
        • Executes dropped EXE
        PID:560
      • C:\Users\Admin\Desktop\New folder\builder.exe
        "C:\Users\Admin\Desktop\New folder\builder.exe"
        1⤵
        • Executes dropped EXE
        PID:3760

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\New folder\Build.bat

        Filesize

        741B

        MD5

        4e46e28b2e61643f6af70a8b19e5cb1f

        SHA1

        804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

        SHA256

        8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

        SHA512

        009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

      • C:\Users\Admin\Desktop\New folder\builder.exe

        Filesize

        469KB

        MD5

        c2bc344f6dde0573ea9acdfb6698bf4c

        SHA1

        d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

        SHA256

        a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

        SHA512

        d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

      • C:\Users\Admin\Desktop\New folder\keygen.exe

        Filesize

        31KB

        MD5

        71c3b2f765b04d0b7ea0328f6ce0c4e2

        SHA1

        bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

        SHA256

        ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

        SHA512

        1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035