Analysis
-
max time kernel
65s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 04:11
Behavioral task
behavioral1
Sample
LB3.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
LB3.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
General
-
Target
LB3.exe
-
Size
145KB
-
MD5
f24e4d221c73ebf1c2fb12d15c13fde9
-
SHA1
019ef3cbd70a0c4e3ea5c45ec4afdc28a655ed81
-
SHA256
4f006379bbd3a2b2611346595ce373595031177d7043200591d81150aefc8ee0
-
SHA512
1508ebf2cba481eda06707d133b994932688d6d3be6c1373e9e88bf8c36a02331df31dc1a575b6e4ed8a160294c88ae8767115af16af94e51b1589bdeedd1629
-
SSDEEP
3072:H6glyuxE4GsUPnliByocWepMIO/oULmUHI:H6gDBGpvEByocWeGy6
Malware Config
Signatures
-
Renames multiple (600) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
F6F4.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation F6F4.tmp -
Deletes itself 1 IoCs
Processes:
F6F4.tmppid Process 3288 F6F4.tmp -
Executes dropped EXE 1 IoCs
Processes:
F6F4.tmppid Process 3288 F6F4.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
LB3.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini LB3.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPon0mpltg_9m1tuz5b5q2q0lce.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPn1owc6o00hb0_a9th51sqm2u.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP69a91fpml982_n104ppqmgpsd.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
LB3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\N0IKX538u.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\N0IKX538u.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
LB3.exeF6F4.tmppid Process 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3288 F6F4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
LB3.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
Processes:
LB3.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N0IKX538u\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N0IKX538u LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N0IKX538u\DefaultIcon\ = "C:\\ProgramData\\N0IKX538u.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.N0IKX538u LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.N0IKX538u\ = "N0IKX538u" LB3.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 3320 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
ONENOTE.EXEpid Process 3300 ONENOTE.EXE 3300 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LB3.exepid Process 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe 3468 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
F6F4.tmppid Process 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp 3288 F6F4.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
LB3.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeDebugPrivilege 3468 LB3.exe Token: 36 3468 LB3.exe Token: SeImpersonatePrivilege 3468 LB3.exe Token: SeIncBasePriorityPrivilege 3468 LB3.exe Token: SeIncreaseQuotaPrivilege 3468 LB3.exe Token: 33 3468 LB3.exe Token: SeManageVolumePrivilege 3468 LB3.exe Token: SeProfSingleProcessPrivilege 3468 LB3.exe Token: SeRestorePrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSystemProfilePrivilege 3468 LB3.exe Token: SeTakeOwnershipPrivilege 3468 LB3.exe Token: SeShutdownPrivilege 3468 LB3.exe Token: SeDebugPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeBackupPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe Token: SeSecurityPrivilege 3468 LB3.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
ONENOTE.EXEpid Process 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE 3300 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
LB3.exeprintfilterpipelinesvc.exeF6F4.tmpdescription pid Process procid_target PID 3468 wrote to memory of 1276 3468 LB3.exe 90 PID 3468 wrote to memory of 1276 3468 LB3.exe 90 PID 4944 wrote to memory of 3300 4944 printfilterpipelinesvc.exe 97 PID 4944 wrote to memory of 3300 4944 printfilterpipelinesvc.exe 97 PID 3468 wrote to memory of 3288 3468 LB3.exe 98 PID 3468 wrote to memory of 3288 3468 LB3.exe 98 PID 3468 wrote to memory of 3288 3468 LB3.exe 98 PID 3468 wrote to memory of 3288 3468 LB3.exe 98 PID 3288 wrote to memory of 2644 3288 F6F4.tmp 100 PID 3288 wrote to memory of 2644 3288 F6F4.tmp 100 PID 3288 wrote to memory of 2644 3288 F6F4.tmp 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1276
-
-
C:\ProgramData\F6F4.tmp"C:\ProgramData\F6F4.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F6F4.tmp >> NUL3⤵PID:2644
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\N0IKX538u.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:840
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{E7D99FA0-85E2-4202-9D5E-5A7F398869C5}.xps" 1336488555282800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3300
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5847753b7b3a2b6303de403c82cd60041
SHA17a85d062a630a3dfda6ce2f0ee82998becbfa8d3
SHA256089f8a2e813c63fc69d8619b512ab32c33da90f74694339f4f2036cae3e85e77
SHA5124a1fa7a9ee41e1fda419cc8fa2449effc9dbe0c64dc9b5fcb7c75645289d7583ae3981d8173fe3c368b98781e4aa35d41ae6445d02ac53074aca3ca2672d78d5
-
Filesize
19B
MD57edb66f1ed51a03a8b381c2307756c3c
SHA160fbdfcefe96843c077b66f7df2f89cbb3bd0312
SHA2560fb417b326d101acbdbb29f1a10c8cfea19b6ce313c17f970ecbfd318c5015dd
SHA512f65dc6c8a1494c267b217f562a6c98fa4b8d7ee9a77127d4062a6fba5e26879b9a4adb5649b3777d26f95ba491f29cde343fc4353e9ef6c8648ed51332a87dff
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
145KB
MD5e3c96f419361b9ff86d99870fdaa1481
SHA1873b1b9e18fe174d2e221f3f1beb54da5a937d18
SHA25634bdb8c7af99201ec443311166c7603c3062dec2cc7cd2750a131f74d3d5252c
SHA512f6c550584a7245743ee6abfdd62730f7b7670fab2cb088c5cfaf363b57ddd59caaee37506cf10f886b948245da43cec6d93615b8edf4e260788b1a509f476726
-
Filesize
4KB
MD53c7afa56171024f10213b6959389de42
SHA1cad7fd8bc8a95fc5f2ef07722c09232de8698fbf
SHA2562dc4973e0af185205407e37317d018eedb166aa342185daa987767726c037c0e
SHA5122d980329e2350f7ebbe826eabeb00f31a99efe9eda6e97254a7fb301ac0f4cdec30b1b4d9ea3c83c350eabdab9fdc49329e95cecef4b96dfb6003034b8bd3b9c
-
Filesize
4KB
MD5a0a21e13fba70c11505de20dbb11ce9f
SHA142a1570ddca67ade54832d1cec7152092af8c34b
SHA256517d961d59c35aa5d95d8ffd57b13dda96dfa5f45f2f1642f2139d9883b391dd
SHA51280b938ef075bb8ae8ffbae317264a6a57ddbb9b7532abcd0d5525ad06d538fe7c10c4ca44d371be4ebcbc79e590986943c770365c05221efe53144697c672f66
-
Filesize
129B
MD5c574d48e6c005fa49d5ff109489de77e
SHA1bbe5dcff0d5dfc2a8920f2671603b0316e98a488
SHA2564680860e83bc09f4e603a8ae6ec43ade684979d8724377b9bc260f1ec38a34ea
SHA512abf0002273b916b2b1d450dfce5c1d75326de636e658398c5bcd2eeb81b70a2f03e59454a3a9cb8eb275a83461b060092752b8857c3bf0114eb37d4361c5c1ad