Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-1703-x64

10

LB3.exe

windows10-2004-x64

10

LB3.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    567371a071752719b9890da555dccb9a

  • SHA1

    4e076a6c2a213f5efc197cdd9e08d8362c24f456

  • SHA256

    169da58a5e57c6a68c1b9c07061b70e6c60d23f1708821a091d6f41907b0e9d7

  • SHA512

    08081a7a8dbf3434088c9fc51506e078db95abf8cf4797a279f5145d6658c970be896b4adcb25e40d2ecc115e2b11e0d7a688fbd34be98a4d8e62f83cf361e8a

  • SSDEEP

    3072:C6glyuxE4GsUPnliByocWepW5nVTbXaiMI9iyVD4cr:C6gDBGpvEByocWegn1Jlr4

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\tmVnvSyWm.README.txt

Ransom Note
>>>> Your data are stolen and encrypted All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is 500$. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - www .coinmama.com Bitpanda - www .bitpanda.com Bitcoin Address: bc1qccpche8qeyxcj4vptta27g2xjv9k2y889wre6w You should send the amount to this bitcoin address. AFTER the payment contact this email to recover your data: [email protected]

Signatures

  • Renames multiple (612) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2032
    • C:\ProgramData\804D.tmp
      "C:\ProgramData\804D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\804D.tmp >> NUL
        3⤵
          PID:4924
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1832
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9A0D8323-5883-4978-B9E3-742BF70A5CBF}.xps" 133646112296300000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:4228

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\NNNNNNNNNNN
        Filesize

        129B

        MD5

        43cb914ab3d6d9b8438b2713dba394a2

        SHA1

        a310b88d0da42bc83cdf3028152b99dd6fabb196

        SHA256

        1a76aeaa551991534f66b0961146b903b836b85d92cd4afde23e76127120eefd

        SHA512

        829a3074ccec55429ab1dd4ee3d68c55541aca7f12f679d81a88884578cb3309f70fe0147ee2a6782a5a432de40ab7996d66db5e374a8b47f996ea471c523752

        Download Submit

      • C:\ProgramData\804D.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9A0D8323-5883-4978-B9E3-742BF70A5CBF}.xps
        Filesize

        12.9MB

        MD5

        e5fb5a3ac946cdfa748dd8432bad5b72

        SHA1

        58418a9134b4af7302f104a7d99a59963d908183

        SHA256

        ddb6aad28ad0d20981a4421659d1f08f772908c9b5e6c64ea707c38f8440bf46

        SHA512

        529cbd1531bbcfea7cc4e42abe6f2ea5bb359f194892c24a2e2bdf4623cac3248189bfa955f490669b2f370c896ea958db89b1cd5c13eba56c2eea8026d6484c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\EEEEEEE
        Filesize

        146KB

        MD5

        df6136be5ec40767d2896bd58edacad8

        SHA1

        f6594c9c4eeffa1b7f65a49d580a386fe208275e

        SHA256

        77894bb2df648b90538c28a1bb2ebbfc7462672852ad993d63f54bd7c76164b5

        SHA512

        e7e15daf1090508bbf6370a687b3a08f3d337f0beef440d48eb39380b9db546ea8ea95421f5e3dd1eb27ade01e5d34f7f265b1b63d5a8eafe26f5a8cc78dc347

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{D53DB436-E569-4049-AC3E-CF6728853322}
        Filesize

        4KB

        MD5

        a4958afa2b66448b8acaeeca31d99eb6

        SHA1

        232e9fa68e7b3a0e62f48225ac042e58fad11e1c

        SHA256

        00c0097c0c4eb73239cf29a0777ca6258e71924807da1795679184b5bb1278f5

        SHA512

        88b95ce812b509e3649bbc7a84ebf4ec3d32075ba71f967452da6e691180d2bebede8127fdb910a32830cdb8184f8156f5e81721acb6cce6acb7a87274fa1e46

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        222ddb27fe79373f2883a325d07720ee

        SHA1

        eb8df05f4487c29c2cd37b6ed5304111b79415d5

        SHA256

        e80ea26dd66451a2f3e076e2ab2dfa0b0d61e6f4f38e571ff4a0aa0d599666e9

        SHA512

        d666e984724af5428ac2dfd7f4504cdc303486a23cd5648e4a3c941046872e702f1b3a39ba335a869cdd760417a2306af6d2ceb2deafd57ac00394401113b00f

        Download Submit

      • C:\tmVnvSyWm.README.txt
        Filesize

        1016B

        MD5

        0b45fc3bb5ecfc4c26e03fac71d58901

        SHA1

        a74cdcd027147a06dfb6bb09030ce630eacd2d77

        SHA256

        9569d1f997217139e5c79398af8e20382201ae66d07f31a71635dc072febe122

        SHA512

        74b244770db52bcf50db9aeb3102eb9ec9253f5adcff200bef8e1d9e49d8d5e7b2e1c333b5f92723502ecbb3b9922eb4f9fa404a65c988afae0ad56e0303fa5e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        6a16a0c66b30cd8bcfc91c7907732a92

        SHA1

        f1f85f4833ad963f38ba75b179d4f62d843f59e6

        SHA256

        eb19d307870f96582db7cc6707bed449c570cb16364c2f02f039f2cab10b5cdb

        SHA512

        387811e6828661d05838dae62f0adc4030a981a21aa50b0e6c3feed716a6de227a4787d684c2898507da26ed12270056668111f803fd776a7e1966de798297ba

        Download Submit

      • memory/4228-2760-0x00007FF925510000-0x00007FF925520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-2759-0x00007FF925510000-0x00007FF925520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-2758-0x00007FF925510000-0x00007FF925520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-2762-0x00007FF925510000-0x00007FF925520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-2791-0x00007FF922C60000-0x00007FF922C70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-2792-0x00007FF922C60000-0x00007FF922C70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-2761-0x00007FF925510000-0x00007FF925520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-2-0x00000000031E0000-0x00000000031F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-1-0x00000000031E0000-0x00000000031F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-0-0x00000000031E0000-0x00000000031F0000-memory.dmp

        Filesize

        64KB

        Download