74f20aa3be90484260777777ceb6caaebf2bcc59ff2b1e221ac71a7c03a62793

Analysis

max time kernel
84s
max time network
47s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 15:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

146KB
MD5

d1fff29fe9d2e8bed2f6ea4472fbe477
SHA1

e3e5f4ab7935281b2aa0f56c7b1aec24423013cc
SHA256

74f20aa3be90484260777777ceb6caaebf2bcc59ff2b1e221ac71a7c03a62793
SHA512

f8d16e66b0d687868884de71a2bf0cb70fbc9725ead4c305370bc3550019c94a38ebe77e82b295b05326b039b8abfe9421d7c539ccce27b0854dea6a38e8c410
SSDEEP

3072:qqJogYkcSNm9V7DzIhvzO0/AbiFMPVPT:qq2kc4m9tDzMlAbi8

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	8D.tmp

Executes dropped EXE 1 IoCs

pid	Process
2716	8D.tmp

Loads dropped DLL 1 IoCs

pid	Process
1932	LB3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\em5bwsECz.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\em5bwsECz.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2240	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe
1932	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp
2716	8D.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeDebugPrivilege	1932	LB3.exe
Token: 36	1932	LB3.exe
Token: SeImpersonatePrivilege	1932	LB3.exe
Token: SeIncBasePriorityPrivilege	1932	LB3.exe
Token: SeIncreaseQuotaPrivilege	1932	LB3.exe
Token: 33	1932	LB3.exe
Token: SeManageVolumePrivilege	1932	LB3.exe
Token: SeProfSingleProcessPrivilege	1932	LB3.exe
Token: SeRestorePrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSystemProfilePrivilege	1932	LB3.exe
Token: SeTakeOwnershipPrivilege	1932	LB3.exe
Token: SeShutdownPrivilege	1932	LB3.exe
Token: SeDebugPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeBackupPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe
Token: SeSecurityPrivilege	1932	LB3.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2716	1932	LB3.exe	32
PID 1932 wrote to memory of 2716	1932	LB3.exe	32
PID 1932 wrote to memory of 2716	1932	LB3.exe	32
PID 1932 wrote to memory of 2716	1932	LB3.exe	32
PID 1932 wrote to memory of 2716	1932	LB3.exe	32

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\ProgramData\8D.tmp
  "C:\ProgramData\8D.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:2716

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1380

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2420

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2968

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\em5bwsECz.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini

Filesize
129B

MD5
821fd98f5648e9ffefda3e24dd908c5f

SHA1
61dc31de6bdda00657a07cb45021b6b85f62e53e

SHA256
d6e787b4e4cb88b3c3447ecdfa692a64d7f853ce5ad298c5c282ccd98c0abf5c

SHA512
e7c7699e9229552b11e360471d3a40a32359805c1aa253545d00a2c95eb145675defb3018bb017752ff27c58828db110d815a51c2b8122f00d04468df6a076fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
146KB

MD5
27ac86d2db66c938875bfa70a5fb6f3b

SHA1
fa72129c0b2dfc11ccbac7d7954ac906de944fa9

SHA256
0f658491cf3e6a742150a278d55af863e17a2c2ba4c9d08f01f0006c60aa3fe3

SHA512
501c0713640c74fc14705af88e48fa4bfde8a9cff6cb0e67ad8abad1fc9ec73c38f258226681daf4368fee060ac7465472b0c082d542271ee381f06016037b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\XqMrTG3.em5bwsECz

Filesize
2KB

MD5
70ea714425430d21de49ee4a364653c3

SHA1
0d4ec6674e0816560e1ba9156b3a92e24be11988

SHA256
8ab8c1fd944fdb4e89834e9ca18c12a9821ec4e119ac58391b6f12f88ae8c402

SHA512
8688eae788f7af34197a2b9ce8617e188e28c790292b6251b7d70b796add23cf32e790145616e4a3925ce678a1538feaf51a470e393faff564802e721cbf8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\XxQ9qse.em5bwsECz

Filesize
2KB

MD5
c8b04dfcfc348834c6209449832c72c7

SHA1
e00f1eea7853278db322bef24d2e7407ad1f3cd6

SHA256
1981ecbf76dbcfdf3724059736e6ad44567a1f29ff39d5ec752f6f9e0b0e777d

SHA512
d05c263e1c2da0edb018087664a5f64f3e9e9c959abeaa0109c30da45340a6e2991c5247d4f42b5bc773d250719af48236641aa26cf1be38e09f4c95c584c8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\Y6eH2nF.em5bwsECz

Filesize
2KB

MD5
2462f0de94dd3d435c8bf34d8ad7518c

SHA1
037bbd197ebb160fbb80a78cc8fc3a9bf41e0a38

SHA256
4250750e47a8ba102e9bfe4075448db52ea60617682306ce3f134f3d2c9df737

SHA512
c10ef12af31eb552ec3d5336f2b3230ef43aeb271a95c5038a5debdac53f1f1bba700900790288910c5e9fe7a692c38f4d63beb2c4e12f9de69cd1a107681c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ZQKzD2K.em5bwsECz

Filesize
23KB

MD5
289bab9da49cebfe58e26a0a6a3c968d

SHA1
eaa66505221dc13eff5f067453f018cb92a26001

SHA256
c5da0235f94bd55629c03d11fb75c1d85caf8e9459d9f80eafdf4ea13daa5a5d

SHA512
3941774b7e99550f453c84f641d2d3d4f19099a30d78bf6376953214f912c2bd0b83db95a721d9b5aca40ef9d4347a099a27317a2cde72d725d0afc693a94f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ZZlxsys.em5bwsECz

Filesize
1KB

MD5
40eea3580cdfba8e520c0ddf145b7755

SHA1
522c06b5718278d1bf20287e091f2330091c37fa

SHA256
7b210c88875e9fe23704db0a955684327c79479c9d66759692f2adfe22cb3f01

SHA512
69e753da3f666eedaf4dd659633ed9178bd13917766c0fa80af39a064fff8d338b8b65859d6bae0f5b6797d6f0cfdf672c04f11ba22f0ce8b36ece05e8c0ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ZpV9n2J.em5bwsECz

Filesize
2KB

MD5
a6805cd753e9d9c11e4899055e86c5dd

SHA1
8657b85708918277987d2806ef6eb8bc93f38f0e

SHA256
437ead8bb241bd5284f0bf076c668433ca3aa5cd4381b2a9ed437a9e3d8ef96b

SHA512
16284ecd4f3d49df838b2b435bf20382e6d4fc1c461dfc45c60252c990e941aecaafd237639b15cb52e30fe58f2ad71aa9b5a86eebc84280e5064f3af0522cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\xNfqNfi.em5bwsECz

Filesize
3KB

MD5
0a8fc35e9820404022fef3823a87f150

SHA1
415d2802dfcd264ee0cc7327b10fc943875f99db

SHA256
afef7bf117d0db41ecd650af3c3c21be32da8450469a6e56e7e683cdc134a600

SHA512
e2e657a5c73eeb97cadd84259470d99beb227837449185c5ef0c823e9d3bddf9291b080321cbf4fa793ca85b7421dc3b6b6b2db1dcab2a0ab680c681c88b608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\xiKUcp2.em5bwsECz

Filesize
2KB

MD5
e092c41dadbfb05a76297f53fcfbee0a

SHA1
3ff319ee0ed489956c7ecdc5cf96f9d39741b293

SHA256
54eed5c8f82b87328aaf5ae0fb274e4f9c61029457e1b60ea4aba89861584fa5

SHA512
7ce90b0a30d12ed3e3e6c069813dabf7b738e812dea7343b8fb0a4b148b7c21c86241c01fea8c17e9c8e9b3480c06ed616ecf2fc6490b77afdeb07c62d387a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\y4ZS8At.em5bwsECz

Filesize
2KB

MD5
9911b5640339c815d49a3d1261f19cfc

SHA1
b2915ce4a5016744ae6f45cdf65abfe861d6d37b

SHA256
7b67fceea31d650b3a7120b623852f919f5940727075f95daff21b83d1eb8c9d

SHA512
be2cf1382c3378fd7cec98bef117b00aa35b9226b2f0e7f5cb89d6c901ea5f17c5b794933a7b2e703bf6c33cc76e1b156922e233baefab3690c38012dbf4e9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\yEqWSk7.em5bwsECz

Filesize
2KB

MD5
0b404e89d0c70d5ea5efd2e46a43f5c3

SHA1
cfa9a1c56fc7d6f8e14b6dcfeb5a7e04b4280fac

SHA256
9883b8cc4017934ea2e614336c26cd9f6b6d50158b73e27056a1dd3c85010361

SHA512
13a4b3e95089b707ff6d3be9bc1512602c024a6eac4745001c427655ae8085c77a5da98a715ac6ba19755d04a24a9f0617a451f2bb6e4fb0c9b61574e087c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\yISFPNR.em5bwsECz

Filesize
2KB

MD5
530b1e974a576a70b4bbda24204e1293

SHA1
b18cf9432e02e7855e3818c3d59d438dafec69d3

SHA256
6c3024b0e3a01358ec3fada77987e085565f955b82400071198891c77d1264c0

SHA512
2a8361343fae44e0d6ab8f9c8beda82d94ef05439d1ff8c459c5f94bbe0a5bb2d7a9847cce84fe5d8294072996d0f3dfa379ff666fcbed745cd821c7783aed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ygIJTIq.em5bwsECz

Filesize
2KB

MD5
035b6bb9a0c7ea5fd3e34898ea9f79ca

SHA1
c56e46e2df16570433911e71ff0a4f5cbc4929dc

SHA256
1153c249e49be8df7a616bc99ea520f71dc39f4c99688e45167fe1ba56234e2b

SHA512
2ed27972e587f9f009add3700a08ca7cf7ce770e5e871afc268cb6753a10d74c3064272e730791e7b2c1bc93c90b9fc16f9fa25eee6a8a88338acc58ef6bc87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\zk2UvIC.em5bwsECz

Filesize
2KB

MD5
474e069975f06ac7615c6a84f0a05e1c

SHA1
35187428384e2e93e142fdcd754139df5d8567e2

SHA256
f37452fdfd5c98c8d631ff8903344af3ac40f0a83143722bce38fa9d08c6f211

SHA512
e8f2745c88e6e71d4e2b824c13b44e6aa08bc6ca3c5dd3ec3277f344a0b3c2b53127ed86b9ef0aa7cb5c23220a70b782d09f9076e9a3f69b68ebcc1d60104514

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\zlimqCe.em5bwsECz

Filesize
3KB

MD5
08ae1d6870f967660d1ed2eecba02085

SHA1
d2961af31e7d67a9de90e466e570144168d498c5

SHA256
a0aecc0fc4d21c2968b35af375d39ddf9282d457e7eda227e25760b79c53b5f2

SHA512
9dc79737b04a1cac6eaacadd33304804151db8e9b7d73804d39e727846a4b495150f5d3ac6358badd8ffd40852a5ea7dfda46b123291909a21324f88c07dbab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\zssoZjh.em5bwsECz

Filesize
3KB

MD5
47703e07d4ddeb3c0f6c85d085117002

SHA1
00728512b5b24f147963548d6ceb2879804f3a3e

SHA256
2ae762c8b0b08829432425d5bbf051963779012f4fd81e278fe1bf2819568c1f

SHA512
8e55cb120c83f14d38609ce307ccbb2b85aad19d525c26cc5286edba0ced9de41c26e4ece2ec970d282d329816f82e346382e2a3807fad6619881c6541ec8fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\zvvvPG8.em5bwsECz

Filesize
2KB

MD5
5e23d9ce40933a3570ba2450dc62f2ac

SHA1
d93c7dc5bfbf3870ecc1d4b585e42aa1337cf8c8

SHA256
aa3aa5446f460736f675919f4aa0a305ff2af60d666ed9f3e02f4211c104dd42

SHA512
1c5d50066bc62cdc215955f5efdbe7233c4159eb0298a40129a757baaad19df161971a3da9b9fe084a93066dbfd9b241962a869b4403043b797d61cae2f6c313

Download Submit
C:\em5bwsECz.README.txt

Filesize
28B

MD5
9056ab0f27b2bea7a26db97d14bfe025

SHA1
5336b4e12f809109d3c4b0f5f2c19258df7a378e

SHA256
d6e2312fe11d1c0a9b958d97a6a8ef51e83dbbb89d847d1a01c9b4ace05f26dc

SHA512
3efa13f50b3b1f0d495b80ff32a8ba851e280e2337193111ec42256e758d4291df056364391b24842b67e89b7dee6a7bf964d5d7837eeab51b9e3c188af846f5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\DDDDDDDDDDD

Filesize
129B

MD5
9c4359784bf8458abed02e6d9892c35d

SHA1
16c884ead7b5b7c8403608fc0f57153f007bdc6d

SHA256
78393a54dd15893b3afa36cc8acaed0d6840ad8e70cb9db7e638014e5e027db7

SHA512
cfa1e8c3f182a544f8cb10aa2a57b42d397fc3e04592ccda94c694da0d85381ff8b1740ffb1b85bcb33e869a0545e554d0fce34a79885612dc5fec4310ea74c4

Download Submit
\ProgramData\8D.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1932-0-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/2716-3519-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/2716-3521-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2716-3520-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2716-3518-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download