Malware Analysis Report

2025-06-15 20:11

Sample ID 230208-xy148sea3y
Target LB3_.bin
SHA256 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1

Threat Level: Known bad

The file LB3_.bin was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Modifies extensions of user files

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-08 19:16

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-08 19:16

Reported

2023-02-08 19:19

Platform

win7-20221111-en

Max time kernel

128s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3_.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DisconnectUnregister.tiff => C:\Users\Admin\Pictures\DisconnectUnregister.tiff.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File renamed C:\Users\Admin\Pictures\EnterStart.tiff => C:\Users\Admin\Pictures\EnterStart.tiff.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File renamed C:\Users\Admin\Pictures\ResetSave.tif => C:\Users\Admin\Pictures\ResetSave.tif.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisconnectUnregister.tiff C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupSet.tif.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisconnectUnregister.tiff.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnterStart.tiff C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnterStart.tiff.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResetSave.tif.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File renamed C:\Users\Admin\Pictures\BackupSet.tif => C:\Users\Admin\Pictures\BackupSet.tif.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\361F.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\361F.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\361F.tmp N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\361F.tmp
PID 964 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\361F.tmp
PID 964 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\361F.tmp
PID 964 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\361F.tmp
PID 964 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\361F.tmp
PID 1544 wrote to memory of 1220 N/A C:\ProgramData\361F.tmp C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1220 N/A C:\ProgramData\361F.tmp C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1220 N/A C:\ProgramData\361F.tmp C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1220 N/A C:\ProgramData\361F.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3_.exe

"C:\Users\Admin\AppData\Local\Temp\LB3_.exe"

C:\ProgramData\361F.tmp

"C:\ProgramData\361F.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\361F.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/964-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\AAAAAAAAAAA

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\CCCCCCCCCCC

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\FFFFFFFFFFF

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\HHHHHHHHHHH

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\GGGGGGGGGGG

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\EEEEEEEEEEE

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\DDDDDDDDDDD

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\BBBBBBBBBBB

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\IIIIIIIIIII

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\JJJJJJJJJJJ

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\KKKKKKKKKKK

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\LLLLLLLLLLL

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\MMMMMMMMMMM

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\NNNNNNNNNNN

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\OOOOOOOOOOO

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\PPPPPPPPPPP

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\QQQQQQQQQQQ

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\RRRRRRRRRRR

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\SSSSSSSSSSS

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\TTTTTTTTTTT

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\UUUUUUUUUUU

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\VVVVVVVVVVV

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\WWWWWWWWWWW

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\XXXXXXXXXXX

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\YYYYYYYYYYY

MD5 9b0365f903943ae5b18e4c4791e9228f
SHA1 c98977c8199a5c22b17adbda875a617b55ff91cb
SHA256 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2
SHA512 eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb

memory/964-81-0x0000000000225000-0x0000000000236000-memory.dmp

\ProgramData\361F.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1544-83-0x0000000000000000-mapping.dmp

C:\ProgramData\361F.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\361F.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1544-88-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1220-87-0x0000000000000000-mapping.dmp

memory/1544-89-0x00000000003B5000-0x00000000003C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-08 19:16

Reported

2023-02-08 19:19

Platform

win10v2004-20220901-en

Max time kernel

90s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3_.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\PublishLimit.raw => C:\Users\Admin\Pictures\PublishLimit.raw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\PublishLimit.raw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File renamed C:\Users\Admin\Pictures\SyncImport.raw => C:\Users\Admin\Pictures\SyncImport.raw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncImport.raw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteSplit.raw => C:\Users\Admin\Pictures\CompleteSplit.raw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteSplit.raw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File renamed C:\Users\Admin\Pictures\DenyOptimize.crw => C:\Users\Admin\Pictures\DenyOptimize.crw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyOptimize.crw.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\ProgramData\7D.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7D.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\7D.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\7D.tmp
PID 4868 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\7D.tmp
PID 4868 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\7D.tmp
PID 4868 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\LB3_.exe C:\ProgramData\7D.tmp
PID 5096 wrote to memory of 996 N/A C:\ProgramData\7D.tmp C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 996 N/A C:\ProgramData\7D.tmp C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 996 N/A C:\ProgramData\7D.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3_.exe

"C:\Users\Admin\AppData\Local\Temp\LB3_.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\7D.tmp

"C:\ProgramData\7D.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7D.tmp >> NUL

Network

Country Destination Domain Proto
NL 104.80.225.205:443 tcp
US 20.189.173.4:443 tcp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp

Files

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

MD5 ae8f938fe1d8af419e4d2271d32f4f8f
SHA1 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a
SHA256 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83
SHA512 a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e

memory/5096-158-0x0000000000000000-mapping.dmp

C:\ProgramData\7D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\7D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/996-161-0x0000000000000000-mapping.dmp

memory/5096-162-0x0000000000400000-0x0000000000407000-memory.dmp