Overview

overview

10

Static

static

10

LbsClient.exe

windows7-x64

10

LbsClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1592s
  • max time network
    1595s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2023 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LbsClient.exe

  • Size

    63KB

  • MD5

    762f2fc17465058d27010124bb425202

  • SHA1

    1b6b701c9c09128886e4676c4f1e534c7db39ad9

  • SHA256

    ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666

  • SHA512

    329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932

  • SSDEEP

    768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us

Score
10/10
xwormpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

ways-examining.at.ply.gg:18120

Attributes
  • install_file

    USB.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 13 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LbsClient.exe
    "C:\Users\Admin\AppData\Local\Temp\LbsClient.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1400
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA16E.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    23a2dd4e6b076bf3e9ef7d315ca503cc

    SHA1

    0948e737e57c6427ca0529a19bbaf70b0b341258

    SHA256

    82db8b53ba2bbd94980ecd39d0f9ea7a6f5df50fae90fea99b23f12cb4a2e216

    SHA512

    4df4a9a7c913a5742fd6846a017d3c8bc31a9deb41c587afed7367c9bea78bcf8084689a20226aafed17ec2535fb5fe3f8c278eb6ecf0ce3d34e8356937127af

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    76bbfe500e18ed5da1d8dd538385b47e

    SHA1

    32218ea28c00261e962e630f39253a07b1a983c1

    SHA256

    27663b3b3edefcf74100e93808eca16ff0887bc223bbf8bbb669555ba2325783

    SHA512

    f252c20a205b7833c3e2231d09f8f1b19e00c4050092ea26245020ddef822c4fc5a5e3b21a43e2a90ccceb585ab7714213ba572a6b9250cd22a6ac8d844c8485

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    950ce0986db78f1bd8cccad057afd901

    SHA1

    df93984b97f1f5f67086bbc414239e7b9e10f18b

    SHA256

    ba2741ac40effa661db334dbbdb121ea0d823753d772213ba966d3cac4546445

    SHA512

    5121b3583b10b3a95e81806f6af9ea5da0448e478907081d3dce24007cc13e5abb1c3e85f7061938800cc1ba6a8d9fcc1cac0f43a7cb6c5682840cc0373a5226

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    da85865bd58b6519b521db54675debbe

    SHA1

    5d6c7b3dd80d9a183d8c0f725c619e246b1f257a

    SHA256

    3dcfd6600f6160a0a66b6eb2f5e44d0579087b6e06aeb101dbc3c353216aeeec

    SHA512

    e9efe48370b8c39efa668b826367a5f8b83a092905cc2aed4f31a94db318a5e6babceb373565e32c31b58005a2f110862b71e31f36436fc1094403f0f54fc5a4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    19f523bb89a95f7d477ed92756f30a10

    SHA1

    ecd746c6a74c1b08560a9fccaf313d87bb530b86

    SHA256

    d7525503bbb8ad9a9b0fccbe7a58b8cb058ebc73166bc3596d5b86df100b4cd7

    SHA512

    6fd16be947d32ccc0333faa9c9a5bf2606cb69f11de086bbc737cabd09a74c8aabd7e0e04fc6c545bece8ac7e771df78105111223f2baf3e834434f8c9fb927e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4aada5bd705867ab0146d2e8500eb27b

    SHA1

    14a97b6ef1247551eb7042ca4680ef7df8ff80d7

    SHA256

    8d56c6d00965d84642fafea4af34311b82d0e2799b9f2476eda279ec33e13dca

    SHA512

    eb07fdce04d07797b7a20d92a39cedf3a4944b785a24f9f1f72f6462096888ad448ac3c61bf06bf2f63b645f0617ff737434c9cdc1ef534eff9dc47dbdde9577

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    addac61ca5a5542d1dc4a94b740efca2

    SHA1

    96fde085a1356a21267c8a8df0d8fe2090c4ea69

    SHA256

    d38c19f782185803992342041291d94caf5c6fff545b1c2530395f0c6b9165a8

    SHA512

    478c6925506abc276b4c1efe17a96b5a28fe7f9efb49b1e51fec76548cb082e2556b88488deb507d217920ff083b6eba1b03f01c20cf7ea52cd62d01788ea9b7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    97a1c8740ad843b55d0100354dc0660c

    SHA1

    beb3273a45ec302e4853e2d3ddf5c84bed4c3a7d

    SHA256

    87b2d3cc297551f3ac387d36bf31adb98f0b9c4514e66c5a1af00e459c46f328

    SHA512

    797b0b60dbddb75afa7fc6160c68624400a92b4bf5f355ef20d71069cd4044479e3b51c23654d5e0b2c6f3022d59847a2bb35f6b8ff0641706c1d7295d39a9b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabD05D.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarD495.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarDB01.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpA16E.tmp.bat
    Filesize

    161B

    MD5

    ca0efff653065e568245bf8e53324200

    SHA1

    f1a3bf3fede6c10bd40c42ca0764f4552e226436

    SHA256

    2d375d85075bd562d2424edf096c5dfde275a1bd5ca2b22bda68a6a7bac108c8

    SHA512

    3826bd71d01a71f3b821bae0622808b42610406fda1ff10aa4bb5fed4db69dfb4bfc1ff20277de676e5e55a4aef9163d206f704c45ad536913cba73847f2385b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpA16E.tmp.bat
    Filesize

    161B

    MD5

    ca0efff653065e568245bf8e53324200

    SHA1

    f1a3bf3fede6c10bd40c42ca0764f4552e226436

    SHA256

    2d375d85075bd562d2424edf096c5dfde275a1bd5ca2b22bda68a6a7bac108c8

    SHA512

    3826bd71d01a71f3b821bae0622808b42610406fda1ff10aa4bb5fed4db69dfb4bfc1ff20277de676e5e55a4aef9163d206f704c45ad536913cba73847f2385b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9BFERCD8.txt
    Filesize

    601B

    MD5

    419981bce7ccadad11934d9d34addc08

    SHA1

    8e3a13d9b049a2884a70b98611377671d1becb86

    SHA256

    766073af2ba3771ef021edf32b9af38bbf2723fd136c7f15a18e4dc883678cee

    SHA512

    4fcbbc4984bd0b5eadf42623a76ba0414844ccf86cc6d2056528b7c8f6c16b4dfadfa6dd93f861d997e02b0a43ee37bc099c521445bd070844520af60ace715b

    Download Submit

  • C:\Users\Admin\Desktop\How To Decrypt My Files.html
    Filesize

    721B

    MD5

    6c5a8ad499d266587d6c1d3aef66d121

    SHA1

    b096729bf4e9115391776bb09c6d676f1287111d

    SHA256

    a4acf18ce9e6fd576d84db4f3717e8d09281e78db8aa3aad4c85b7106f38de31

    SHA512

    bc4d4b2d4d5b4030e7f309a956e38da88578ec45326aaa4b3e27344314375a542b5c330eccd8068c9145549f7ea1de41f49d5ed557799f0227ca301b25c14624

    Download Submit

  • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
    Filesize

    16B

    MD5

    7de123abd52f05d35c662e1b2fac960d

    SHA1

    0cb58d891e5b98a88d699ce6e57b9e1085a266ca

    SHA256

    c3473be1c9bd18644c928e490b5e1a0026fe252202380ea8515ece50e4374912

    SHA512

    0fa390845044938b2f7fabd6d9c7d734698c655af197b361c592305134ddb5fc97045d7b6ede4cb6e21d7c64a394e1f566be7049e3e618a90628f556bac44154

    Download Submit

  • memory/1468-1206-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1468-54-0x0000000000380000-0x0000000000396000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1468-55-0x000000001B390000-0x000000001B410000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1468-59-0x000000001A700000-0x000000001A70A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1468-1237-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1468-1238-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1468-231-0x000000001B390000-0x000000001B410000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1468-61-0x000000001A730000-0x000000001A73C000-memory.dmp

    Filesize

    48KB

    Download