Overview

overview

10

Static

static

10

LB3.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    22s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-07-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    784ce1cab14588f385b179f9606009eb

  • SHA1

    b57f0bad0ec1d3ca1b90d892252f829d9683d33a

  • SHA256

    56b370f9b02c4aa27c815e97797e1e21638f0cf032d5cffaf21bf8223a64c01b

  • SHA512

    7ec7614e08dd9a69d9184b9efa37fcfa6828b57cd1f65538b88edf6379540ec2bc5ebc53f9b0a89444d793433277aaedc47cef69b417a00d1bc3f153d77f4c31

  • SSDEEP

    3072:D6glyuxE4GsUPnliByocWep0vTsjforRRk4dzW:D6gDBGpvEByocWeevwzikw

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\MGCjxqq8r.README.txt

Ransom Note
~~~ XdrZaman Ransomware ~~~ >>>> Your data are stolen and encrypted You need to pay 100$ to this address BTC: bc1qx3qwft3t3dc4rcke0e8lrhtxrkp5xq5nf3xktr The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Tox ID LockBitSupp: CA5F6002ABA4DB818F89143499F9CF833E0FFB1D174E837FB2881D4576B0160693307E7564A2 >>>> Your personal DECRYPTION ID: DF03BF5536BD458F420CC8A34DC2F708 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Signatures

  • Renames multiple (452) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:6000
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
    1⤵
    • Drops file in Windows directory
    PID:5696
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MGCjxqq8r.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:5904
  • C:\Windows\system32\printfilterpipelinesvc.exe
    C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
    1⤵
    • Drops file in System32 directory
    PID:6100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1453213197-474736321-1741884505-1000\YYYYYYYYYYY
    Filesize

    129B

    MD5

    3a53e96ce3ade75e600b7d8b83728386

    SHA1

    94a7ab556795c36cc53da51db2e2bf9fd1c99aa3

    SHA256

    9ee374ee630a9d0cd1bbd9867dfbc81431c8f16eef576ce246c3176451187daa

    SHA512

    4ac339122a22788d62d07be3cee7765845ee9d693692575e1745b0a8f36fe7c5b6b815e4046cb449632137a4add4aa4493f55e6ac951406479e764bb1be5e2ab

    Download Submit

  • C:\MGCjxqq8r.README.txt
    Filesize

    1KB

    MD5

    1f81ba8400f70159ff8b359dff8be686

    SHA1

    52ec768c2007237312229a90f780601cd2d8d64c

    SHA256

    25c918cc6cc7d4b04dafe8b13b1e58ec9df5acb9780a084ce5082890e150ab85

    SHA512

    c69a0b6dd231e6596c82781154809e5c67b3aec927725558a764fa37e5f99a71ab9d95e7665943f5d8686c2f138b85d69dc9e853266cecdfb2167b852a7cf6a0

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1453213197-474736321-1741884505-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    53f07c1dbd35eb08b409a7f7068137ad

    SHA1

    9f8f0d585a8ff0ecb718a254a80f0c5173797565

    SHA256

    e0a5539a4bead218b58ca20ae1d8bfc3a05d242ecd82ea92625731afede539cb

    SHA512

    d6cdda6e1c8d2910275a06014a25b848385940399635186d6bbeec27b8b5019de22866c8d6f53ccdf8ab6b4f59a0f321406a2dff0517187db759305960791aa9

    Download Submit

  • memory/900-2562-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/900-0-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/900-1-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/900-2-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/900-2563-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/900-2564-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5696-2548-0x0000022893720000-0x0000022893730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5696-2559-0x00000228982D0000-0x00000228982D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5696-2560-0x00000228982E0000-0x00000228982E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5696-2557-0x0000022893D30000-0x0000022893D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5696-2555-0x00000228937F0000-0x00000228937F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5696-2544-0x00000228934A0000-0x00000228934B0000-memory.dmp

    Filesize

    64KB

    Download