Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2023, 11:43

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    33228a20a7e985f02e2ddd73cccde729

  • SHA1

    58ab960e629a609d135e1988c72f2991e5f76e30

  • SHA256

    0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194

  • SHA512

    075002dd1b0f8e536c1ff99d30368f5adfc90a2f3e7a74c9770119e7b54a5851236657b7edcb735d457e78a7e67b7c285b6ceaa6ca2907542ac208dfc8c9aabe

  • SSDEEP

    3072:36glyuxE4GsUPnliByocWepqFPUBwrqveV84:36gDBGpvEByocWe8MB4G

Malware Config

Signatures

  • Renames multiple (603) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\ProgramData\C335.tmp
      "C:\ProgramData\C335.tmp"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C335.tmp >> NUL
        3⤵
          PID:1952
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\AAAAAAAAAAA

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\BBBBBBBBBBB

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\CCCCCCCCCCC

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\EEEEEEEEEEE

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\FFFFFFFFFFF

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\GGGGGGGGGGG

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\HHHHHHHHHHH

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\IIIIIIIIIII

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\JJJJJJJJJJJ

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\KKKKKKKKKKK

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\LLLLLLLLLLL

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\MMMMMMMMMMM

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\NNNNNNNNNNN

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\OOOOOOOOOOO

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\PPPPPPPPPPP

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\QQQQQQQQQQQ

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\RRRRRRRRRRR

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\SSSSSSSSSSS

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\TTTTTTTTTTT

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\UUUUUUUUUUU

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\VVVVVVVVVVV

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\WWWWWWWWWWW

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\XXXXXXXXXXX

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\YYYYYYYYYYY

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini

      Filesize

      129B

      MD5

      1ace16334c16ccbab3413f022c941aa2

      SHA1

      5fed3367acd24f0c611d0651ef5296ed6edfdaa0

      SHA256

      2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43

      SHA512

      ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

    • C:\AFfGduKAp.README.txt

      Filesize

      388B

      MD5

      c23c60bc62f1cc08c909c8f30b50041a

      SHA1

      5578092c969e501ed8a6831409acee0cb4f8d3e6

      SHA256

      7ff4f870af1a8caa4e82426747849f40ed0f9bdb787770dcfd6e9003ba9900b6

      SHA512

      cf29cff2ecc1089aaad51711a47d0f281404e8969db0c7e76c551c0a3cf477dc55f4865927976576d1a218b20535930d17080f98dacd045c2fc8c136ffc87b62

    • C:\ProgramData\C335.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\ProgramData\C335.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD

      Filesize

      146KB

      MD5

      f8448e1f2d70881d9f89cfde23752351

      SHA1

      223c039b236cb2f23de79e01904d7baa100b4cb1

      SHA256

      faea9c3cdbd58e5f5ffd2252a11836c74bd6c94e9cf2f9172a1a34320e791449

      SHA512

      c9c59bafa9091bad8ddcc74eb3b21c677b251e6ed8d8d41dfe68a176db304c2a8a2ada8124ef256521f0f9bb845986916de656095dc76b541b3270fe183eb8d9

    • memory/4604-188-0x00000000031A0000-0x00000000031B0000-memory.dmp

      Filesize

      64KB

    • memory/4604-189-0x00000000031A0000-0x00000000031B0000-memory.dmp

      Filesize

      64KB

    • memory/4604-2817-0x00000000031A0000-0x00000000031B0000-memory.dmp

      Filesize

      64KB

    • memory/4604-2818-0x00000000031A0000-0x00000000031B0000-memory.dmp

      Filesize

      64KB