169da58a5e57c6a68c1b9c07061b70e6c60d23f1708821a091d6f41907b0e9d7

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-07-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

146KB
MD5

567371a071752719b9890da555dccb9a
SHA1

4e076a6c2a213f5efc197cdd9e08d8362c24f456
SHA256

169da58a5e57c6a68c1b9c07061b70e6c60d23f1708821a091d6f41907b0e9d7
SHA512

08081a7a8dbf3434088c9fc51506e078db95abf8cf4797a279f5145d6658c970be896b4adcb25e40d2ecc115e2b11e0d7a688fbd34be98a4d8e62f83cf361e8a
SSDEEP

3072:C6glyuxE4GsUPnliByocWepW5nVTbXaiMI9iyVD4cr:C6gDBGpvEByocWegn1Jlr4

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\tmVnvSyWm.README.txt

Ransom Note

>>>> Your data are stolen and encrypted All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is 500$. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - www .coinmama.com Bitpanda - www .bitpanda.com Bitcoin Address: bc1qccpche8qeyxcj4vptta27g2xjv9k2y889wre6w You should send the amount to this bitcoin address. AFTER the payment contact this email to recover your data: [email protected]

Emails

[email protected]

Signatures

Renames multiple (521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

ADD5.tmp

pid	Process
1156	ADD5.tmp

Executes dropped EXE 1 IoCs

Processes:

ADD5.tmp

pid	Process
1156	ADD5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

LB3.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4106386276-4127174233-3637007343-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4106386276-4127174233-3637007343-1000\desktop.ini	LB3.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP_8t7aciwa0937yaoi5ttjaqqd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP5zcfie_0p5e6o_2b_x50j756.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPj9hy_wulf0bhb5oxjp8u9pyid.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\tmVnvSyWm.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\tmVnvSyWm.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

LB3.exeADD5.tmp

pid	Process
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
1156	ADD5.tmp

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

LB3.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop	LB3.exe

Modifies registry class 5 IoCs

Processes:

LB3.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tmVnvSyWm	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tmVnvSyWm\DefaultIcon\ = "C:\\ProgramData\\tmVnvSyWm.ico"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tmVnvSyWm	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tmVnvSyWm\ = "tmVnvSyWm"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tmVnvSyWm\DefaultIcon	LB3.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

LB3.exeONENOTE.EXE

pid	Process
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
4364	LB3.exe
68	ONENOTE.EXE
68	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

Processes:

ADD5.tmp

pid	Process
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp
1156	ADD5.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LB3.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeDebugPrivilege	4364	LB3.exe
Token: 36	4364	LB3.exe
Token: SeImpersonatePrivilege	4364	LB3.exe
Token: SeIncBasePriorityPrivilege	4364	LB3.exe
Token: SeIncreaseQuotaPrivilege	4364	LB3.exe
Token: 33	4364	LB3.exe
Token: SeManageVolumePrivilege	4364	LB3.exe
Token: SeProfSingleProcessPrivilege	4364	LB3.exe
Token: SeRestorePrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSystemProfilePrivilege	4364	LB3.exe
Token: SeTakeOwnershipPrivilege	4364	LB3.exe
Token: SeShutdownPrivilege	4364	LB3.exe
Token: SeDebugPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeBackupPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe
Token: SeSecurityPrivilege	4364	LB3.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	Process
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE
68	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

LB3.exeprintfilterpipelinesvc.exeADD5.tmp

description	pid	Process	procid_target
PID 4364 wrote to memory of 1776	4364	LB3.exe	76
PID 4364 wrote to memory of 1776	4364	LB3.exe	76
PID 3036 wrote to memory of 68	3036	printfilterpipelinesvc.exe	78
PID 3036 wrote to memory of 68	3036	printfilterpipelinesvc.exe	78
PID 4364 wrote to memory of 1156	4364	LB3.exe	79
PID 4364 wrote to memory of 1156	4364	LB3.exe	79
PID 4364 wrote to memory of 1156	4364	LB3.exe	79
PID 4364 wrote to memory of 1156	4364	LB3.exe	79
PID 1156 wrote to memory of 2176	1156	ADD5.tmp	80
PID 1156 wrote to memory of 2176	1156	ADD5.tmp	80
PID 1156 wrote to memory of 2176	1156	ADD5.tmp	80

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1776
- C:\ProgramData\ADD5.tmp
  "C:\ProgramData\ADD5.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\ADD5.tmp >> NUL
    3⤵
    PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:3676

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7D856FBE-F523-4DAD-BE4D-E27ED93CB168}.xps" 133646112256260000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:68

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4106386276-4127174233-3637007343-1000\PPPPPPPPPPP

Filesize
129B

MD5
bb62ecd67243d25b4f3efb18bf40211b

SHA1
2ef96b589d0e9e0a254c8bb7be14c200be02ee58

SHA256
272d2c5650be27e25e06bec69f2bc993815e31a36bbf6301034911ce69119174

SHA512
30b05c704c34ad70e9c554fe473675a6f7f7ccdd650f326a08f0181b1e4ddad3497c35ef28a692b5ab20c3b9173c550475fb7fbd60d998ea2d6b728e76eb967c

Download Submit
C:\ProgramData\ADD5.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7D856FBE-F523-4DAD-BE4D-E27ED93CB168}.xps

Filesize
12.2MB

MD5
8cb9da7a282312f7001505011b91eac7

SHA1
83176a92a866b6962ae16a5ba0ff6e5f67afa56e

SHA256
b96da0a0385f89f473332022051ba9cee6825dce66ad9d37169fdc3f39a794a4

SHA512
15f1cb865ba98f2a929e4c3590b83ff720aa7b485705f49cc5480672e0d2c75959f85eee336fbef3a24e6af1135ca187afeb3d22aad7b39513755cf375218a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCC

Filesize
146KB

MD5
137355147f2bd55628dcffd4dcf1b386

SHA1
23f46a48dbc3ad8fd27763df4e3fcb0df94a30f7

SHA256
1ebcdc871a1ea77145931f3b82f877148f61fbe67a90906e029c84f96098cc78

SHA512
dd33b7e3689166d52be998af45bc9e91251ca39343b1471e4b56f18db212825f5ea9341ec1ee671f9372fbe466178f3ec6cc9b242e3d53c96a1f543c2a80f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\{51CC270E-4027-445F-B071-9C22A0403F72}

Filesize
4KB

MD5
8cc1860420528451da02d503f34420ca

SHA1
66b55ffcac9310bc3e3715e6f55a8e416ac2954f

SHA256
29b44e22964b685b5938db92a7c8e6fe8a5c71f9510844f69cc3d86bcb3a11e6

SHA512
076e7182336804a1aef6340a21511ed45eff2de59a668fce12bd5a195f8cac2aaea0999d392aa00ff6e554aae5e7dc6c68cc4ada98f1018376ce03a8689d4769

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
4dcbf0738948d996605aa5e18a0c06f1

SHA1
0c219dc229f62a4b0e7b3fe8f79357c5e90e9045

SHA256
42d52f0d8a4ca69f1a42404c2ccd4938b64bb743ab8d343e78f9479f06ba8f70

SHA512
b00470d911ff05f6394501942968a5f9b2e2f8dfb3beeec3394682e1163fb72b5147493f5f040926e0f5f9dbbba231bcb5babbd8716139153b490598c3aaabe7

Download Submit
C:\tmVnvSyWm.README.txt

Filesize
1016B

MD5
0b45fc3bb5ecfc4c26e03fac71d58901

SHA1
a74cdcd027147a06dfb6bb09030ce630eacd2d77

SHA256
9569d1f997217139e5c79398af8e20382201ae66d07f31a71635dc072febe122

SHA512
74b244770db52bcf50db9aeb3102eb9ec9253f5adcff200bef8e1d9e49d8d5e7b2e1c333b5f92723502ecbb3b9922eb4f9fa404a65c988afae0ad56e0303fa5e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4106386276-4127174233-3637007343-1000\DDDDDDDDDDD

Filesize
129B

MD5
cb2a5bee5d6263a12b9959e152e3ae79

SHA1
ffd3278993ae272d056dc5c969afa3490a6efd46

SHA256
a51ed6d45cedb521ad6f168716e64e80a95a522b7995ca55791a1a95c52b763b

SHA512
c5a8e89f0160b86096a0e5398bc087be10ebbe27919dc8fac304c0a8ad7f452917f0a666b9956c9d39b9fd7fe8d8b71faea193cfaa2228dab8de3b9448977816

Download Submit
memory/68-2891-0x00007FFD6A650000-0x00007FFD6A660000-memory.dmp

Filesize
64KB

Download
memory/68-2890-0x00007FFD6A650000-0x00007FFD6A660000-memory.dmp

Filesize
64KB

Download
memory/68-2923-0x00007FFD66F40000-0x00007FFD66F50000-memory.dmp

Filesize
64KB

Download
memory/68-2910-0x00007FFD66F40000-0x00007FFD66F50000-memory.dmp

Filesize
64KB

Download
memory/68-2889-0x00007FFD6A650000-0x00007FFD6A660000-memory.dmp

Filesize
64KB

Download
memory/68-2887-0x00007FFD6A650000-0x00007FFD6A660000-memory.dmp

Filesize
64KB

Download
memory/3676-2642-0x000001CB9B2A0000-0x000001CB9B2A1000-memory.dmp

Filesize
4KB

Download
memory/3676-2652-0x000001CB9F860000-0x000001CB9F861000-memory.dmp

Filesize
4KB

Download
memory/3676-2560-0x000001CB9AAB0000-0x000001CB9AAC0000-memory.dmp

Filesize
64KB

Download
memory/3676-2687-0x000001CB9F9C0000-0x000001CB9F9C1000-memory.dmp

Filesize
4KB

Download
memory/3676-2668-0x000001CB9F9A0000-0x000001CB9F9A1000-memory.dmp

Filesize
4KB

Download
memory/3676-2564-0x000001CB9B1A0000-0x000001CB9B1B0000-memory.dmp

Filesize
64KB

Download
memory/4364-2-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/4364-0-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/4364-1-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download