dec9845622a1996d768b0f38b7d7d16e6c76b2572b7e2eac55f678e686d4dc6f

Analysis

max time kernel
44s
max time network
22s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

145KB
MD5

2a704c78d287be6fb1a9324dd3bbd780
SHA1

2f79d2d07b33be225d3d333477c2d2159a471e0e
SHA256

dec9845622a1996d768b0f38b7d7d16e6c76b2572b7e2eac55f678e686d4dc6f
SHA512

a2681bdb05ecb2636958b37a65c32bfd27467b241052133ad7f02bb634ad6e5539718ba810c3568f9cf3d10996cdd255e6632c75565ec40b278cff88713a812d
SSDEEP

3072:S6glyuxE4GsUPnliByocWepLk+B2Rq+V8Lmp:S6gDBGpvEByocWelKq8T

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (363) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

3295.tmp

pid	Process
2892	3295.tmp

Executes dropped EXE 1 IoCs

Processes:

3295.tmp

pid	Process
2892	3295.tmp

Loads dropped DLL 1 IoCs

Processes:

LB3.exe

pid	Process
1996	LB3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

LB3.exe

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AjrMf9Fb5.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AjrMf9Fb5.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

LB3.exe3295.tmp

pid	Process
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
2892	3295.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

LB3.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop	LB3.exe

Modifies registry class 5 IoCs

Processes:

LB3.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AjrMf9Fb5	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AjrMf9Fb5\ = "AjrMf9Fb5"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AjrMf9Fb5\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AjrMf9Fb5	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AjrMf9Fb5\DefaultIcon\ = "C:\\ProgramData\\AjrMf9Fb5.ico"	LB3.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

LB3.exe

pid	Process
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe
1996	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

3295.tmp

pid	Process
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp
2892	3295.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LB3.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeDebugPrivilege	1996	LB3.exe
Token: 36	1996	LB3.exe
Token: SeImpersonatePrivilege	1996	LB3.exe
Token: SeIncBasePriorityPrivilege	1996	LB3.exe
Token: SeIncreaseQuotaPrivilege	1996	LB3.exe
Token: 33	1996	LB3.exe
Token: SeManageVolumePrivilege	1996	LB3.exe
Token: SeProfSingleProcessPrivilege	1996	LB3.exe
Token: SeRestorePrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSystemProfilePrivilege	1996	LB3.exe
Token: SeTakeOwnershipPrivilege	1996	LB3.exe
Token: SeShutdownPrivilege	1996	LB3.exe
Token: SeDebugPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeBackupPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe
Token: SeSecurityPrivilege	1996	LB3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LB3.exe3295.tmp

description	pid	Process	procid_target
PID 1996 wrote to memory of 2892	1996	LB3.exe	30
PID 1996 wrote to memory of 2892	1996	LB3.exe	30
PID 1996 wrote to memory of 2892	1996	LB3.exe	30
PID 1996 wrote to memory of 2892	1996	LB3.exe	30
PID 1996 wrote to memory of 2892	1996	LB3.exe	30
PID 2892 wrote to memory of 3060	2892	3295.tmp	31
PID 2892 wrote to memory of 3060	2892	3295.tmp	31
PID 2892 wrote to memory of 3060	2892	3295.tmp	31
PID 2892 wrote to memory of 3060	2892	3295.tmp	31

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\ProgramData\3295.tmp
  "C:\ProgramData\3295.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3295.tmp >> NUL
    3⤵
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini

Filesize
129B

MD5
fdacd7236f32426ed053290b85bcc02c

SHA1
ff8d1d3916f797b0ee8c5c59dd1c55a189a1b576

SHA256
5868d405b0dd725faa14c78a80b1bac2b9d9ae3edde45c4d43adaf02a57bfeae

SHA512
43b3af2783d3078a143e16ac2f7ae7e7fac379c582e5440de7e0dee752dda1609b690fa0b9195327d3781820e783ec85cb67391b54889aa83b62ea86951f6590

Download Submit
C:\AjrMf9Fb5.README.txt

Filesize
19B

MD5
7edb66f1ed51a03a8b381c2307756c3c

SHA1
60fbdfcefe96843c077b66f7df2f89cbb3bd0312

SHA256
0fb417b326d101acbdbb29f1a10c8cfea19b6ce313c17f970ecbfd318c5015dd

SHA512
f65dc6c8a1494c267b217f562a6c98fa4b8d7ee9a77127d4062a6fba5e26879b9a4adb5649b3777d26f95ba491f29cde343fc4353e9ef6c8648ed51332a87dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
145KB

MD5
2e42476508011a0efbf60e764f536eec

SHA1
78ad67aa29c8b52593918612048e4741fa3cb2f3

SHA256
beadcf9b2ad9c5774d0a3991e85e76e7b31da3a8da30cd59544f450f340b028c

SHA512
adba1c6520d4c4bac4c2d161b6b5de9f3f7416942834929adb757ff47353c20dcca783d1af9f1c224d61d354da97f63fde6d7cfbefe501bcedb27ba016786928

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\CCCCCCCCCCC

Filesize
129B

MD5
c18570a6836696b3109b136f18b2c3bf

SHA1
fc21f73a2ed66c491af904547d9f73317e20c180

SHA256
21fb46feb55e3231474b92eb723fe9a3286027bb3879b53524f735db920da89a

SHA512
10ff5fe40e8cc5d4c66697e24e2d9e385b37960d395885d6f54d1800e65656e970799a656d198d1f6eaa5eea515f359c4aba3ef87cf873a6bec5de489ce1bf34

Download Submit
\ProgramData\3295.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1996-0-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2892-896-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2892-898-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download