blackmatter | 1d6561c4714fadf16bcfb244a5444a959a953424d8e2c6acca6ccb2e20117e74

General

Target

LockBit30.7z
Size

144KB
MD5

ecad36ec22515adac1190a6a46c78fb7
SHA1

4f3507c3432a86df0d8eb02ea71eb1a884860724
SHA256

1d6561c4714fadf16bcfb244a5444a959a953424d8e2c6acca6ccb2e20117e74
SHA512

2b3edcde3bf96aaf7869d64226ee1bc97ee0956a52ff63bec9309d9916504298c24eb843901c334f76b1713996a7cd74676ddf3b24e633f8981cb5031a60dd12
SSDEEP

3072:2rpwUBhAR0Kz0TO+/nB6thtGnp0gNxQ/XvE12AldjEr:2rWiuaKQ1a+p0gNxcXHgu

Score

10^/10

blackmatter lockbit discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Blackmatter family
blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000027cb7-13.dat	family_lockbit

Executes dropped EXE 14 IoCs

pid	Process
3696	keygen.exe
4908	builder.exe
4496	builder.exe
928	builder.exe
1144	builder.exe
2064	builder.exe
1536	builder.exe
4324	keygen.exe
1252	builder.exe
2052	keygen.exe
4224	keygen.exe
324	keygen.exe
560	keygen.exe
3760	builder.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3752	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3752	7zFM.exe
Token: 35	3752	7zFM.exe
Token: 33	3180	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3180	AUDIODG.EXE
Token: SeSecurityPrivilege	3752	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3752	7zFM.exe
552	osk.exe
3752	7zFM.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 3696	1064	cmd.exe	99
PID 1064 wrote to memory of 3696	1064	cmd.exe	99
PID 1064 wrote to memory of 3696	1064	cmd.exe	99
PID 1064 wrote to memory of 4908	1064	cmd.exe	100
PID 1064 wrote to memory of 4908	1064	cmd.exe	100
PID 1064 wrote to memory of 4908	1064	cmd.exe	100
PID 1064 wrote to memory of 4496	1064	cmd.exe	101
PID 1064 wrote to memory of 4496	1064	cmd.exe	101
PID 1064 wrote to memory of 4496	1064	cmd.exe	101
PID 1064 wrote to memory of 928	1064	cmd.exe	102
PID 1064 wrote to memory of 928	1064	cmd.exe	102
PID 1064 wrote to memory of 928	1064	cmd.exe	102
PID 1064 wrote to memory of 1144	1064	cmd.exe	103
PID 1064 wrote to memory of 1144	1064	cmd.exe	103
PID 1064 wrote to memory of 1144	1064	cmd.exe	103
PID 1064 wrote to memory of 2064	1064	cmd.exe	104
PID 1064 wrote to memory of 2064	1064	cmd.exe	104
PID 1064 wrote to memory of 2064	1064	cmd.exe	104
PID 1064 wrote to memory of 1536	1064	cmd.exe	105
PID 1064 wrote to memory of 1536	1064	cmd.exe	105
PID 1064 wrote to memory of 1536	1064	cmd.exe	105

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit30.7z"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3752

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4808

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl,@1 ,
1⤵
PID:2424

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\Desktop\New folder\keygen.exe
  keygen -path C:\Users\Admin\Desktop\New folder\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3696
- C:\Users\Admin\Desktop\New folder\builder.exe
  builder -type dec -privkey C:\Users\Admin\Desktop\New folder\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4908
- C:\Users\Admin\Desktop\New folder\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Users\Admin\Desktop\New folder\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Users\Admin\Desktop\New folder\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Users\Admin\Desktop\New folder\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Users\Admin\Desktop\New folder\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Desktop\New folder\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\New folder\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Users\Admin\Desktop\New folder\keygen.exe
"C:\Users\Admin\Desktop\New folder\keygen.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324

C:\Users\Admin\Desktop\New folder\builder.exe
"C:\Users\Admin\Desktop\New folder\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252

C:\Users\Admin\Desktop\New folder\keygen.exe
"C:\Users\Admin\Desktop\New folder\keygen.exe"
1⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\Desktop\New folder\keygen.exe
"C:\Users\Admin\Desktop\New folder\keygen.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\Desktop\New folder\keygen.exe
"C:\Users\Admin\Desktop\New folder\keygen.exe"
1⤵
- Executes dropped EXE
PID:324

C:\Users\Admin\Desktop\New folder\keygen.exe
"C:\Users\Admin\Desktop\New folder\keygen.exe"
1⤵
- Executes dropped EXE
PID:560

C:\Users\Admin\Desktop\New folder\builder.exe
"C:\Users\Admin\Desktop\New folder\builder.exe"
1⤵
- Executes dropped EXE
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\New folder\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\Desktop\New folder\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\New folder\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit

Resubmissions

Analysis

Sharing