Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Resubmissions

03/08/2024, 12:19 UTC

240803-pg7lpasfql 10

15/03/2024, 00:25 UTC

240315-aqtc4adf33 10

15/03/2024, 00:20 UTC

240315-amv3hsde39 10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 00:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    1973ccbab82020881d531ccd1f2ca48e

  • SHA1

    7e18f712e26ea32b0e8aeb4cd3c958eb8d32dfed

  • SHA256

    d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847

  • SHA512

    67654e67afe6a3e1ddf335dff4b976e254c45d8046853607cb4e98af6cd43accee8f2e35e296b932385bc9a6b7fed96ee4be6e113457eb5eb057bd8301f476f6

  • SSDEEP

    1536:PzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD8UhzyIccE+72p2Kbm+0ep3PeAM:wqJogYkcSNm9V7D8URMcS0ep3BcTT

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\xcEElHqGu.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom All of your files have been encrypted! (Warning: Attempting to remove the software will corrupt your hard drives meaning no further use even when wiped. We simply charge $25 which is far cheaper than buying a new drive.) Your computer was infected with a ransomware software. Your files have been encrypted and you won't be able to decrypt them without purchasing $25 BTC. What can I do to get my files back? You will send payment of $25 BTC to gain access to your files again, once payment is made after 3 confirmations on the blockchain (15 mins) your files will be restored and the software will un-install itself from your computer. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment will increase soon to double, be cooperative and your files will be released. Payment information Amount: 0.000385636 BTC Bitcoin Address: bc1qc76qr24pxnms9f93mytfg4dn7ztuvmje7g43dr

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Renames multiple (356) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\ProgramData\367B.tmp
      "C:\ProgramData\367B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\367B.tmp >> NUL
        3⤵
          PID:1472
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2856

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini
        Filesize

        129B

        MD5

        892fb6ce3889a1c5c5f854bbd2f2e944

        SHA1

        4d625755f3d560668bcacce7b191e544606a8324

        SHA256

        94ed753210b86d66f36f84ab79b7d771e0b27a45e95390767c27514f7a215272

        SHA512

        8c700dd0a2aecfde0040efd728c7ec590ff22072d7479dfe4bad32fedc49890872a0def538eb01a39eb7063edea694a2dc1759d82da1cda4fa93b33815b69591

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RRRRRRR
        Filesize

        147KB

        MD5

        789c5b7a6541be3acc4f301371a005b0

        SHA1

        4ac960e08b0ea1d5300857a71fa3006e91a43a65

        SHA256

        3bb07b1c6ec4fed2635eba58dc5602fc9c52268243a9a338f302e64794e5e626

        SHA512

        db471b36e1eaf0431f0b84deff514ee74f452025b15ec6960277a0b6679db7acd96fb75cabfff40caa1ae845b4511831f0eed046c5aa872d5f45bf75b58a52b3

        Download Submit

      • C:\xcEElHqGu.README.txt
        Filesize

        1KB

        MD5

        7fd2336a4cae4c2f51bb0860a6748860

        SHA1

        69ef22fd3afb86945d371d4be0fe9c507880dd1b

        SHA256

        413dd9df6327c861bd0ba99a1e99b2b00b75961230d8b499c993419da1ecca29

        SHA512

        8791bd4195522517edd5a05cec17473fb01bd9865d4f4ea9966ee105fc0dc9d720c56c84af278d3bb5b31915aba678b7786e086f4890ea138f2ff47f0288c523

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        3e655daab0ca68e552edf2e700325056

        SHA1

        ee3876c0c80b496fd6a6fad99f9f604f9d2184ce

        SHA256

        5c41076fc300161a7a0789034d0324b27f0b0dfabd5a0a7601d45f5eab599eef

        SHA512

        93651b63f2a8e6c24b9407e379300f4a25e768116d6a8c1363d242b907b3cfe8d3e545da83b82f2a15fa425d835fe8417267ee87705f64702e732df894c5c57f

        Download Submit

      • \ProgramData\367B.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2244-0-0x0000000002240000-0x0000000002280000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2940-874-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2940-875-0x0000000000310000-0x0000000000350000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2940-894-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2940-897-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2940-906-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2940-907-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.