970c78e5f252490ea381faf4e9b311764b8be5f1f97f737fc96a8357018fd552

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

145KB
MD5

6ef47bf0769d5ffff66803b62a6ef2c3
SHA1

e3825327205f8f39c42c1b0d76c8f0aeff587dec
SHA256

970c78e5f252490ea381faf4e9b311764b8be5f1f97f737fc96a8357018fd552
SHA512

30cb1a3c86158f48a469f5ec1cad8584a9f432bf1c3f020321982180cd60f9acb2b17abcaff9a801d417548d5a482f746d602a8b267cd8c7a098d625e3a2571a
SSDEEP

3072:pqJogYkcSNm9V7D8B+L5PDVdsvHuMXva4T:pq2kc4m9tD8B+LTe1y

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

189F.tmp

pid	Process
1920	189F.tmp

Executes dropped EXE 1 IoCs

Processes:

189F.tmp

pid	Process
1920	189F.tmp

Loads dropped DLL 1 IoCs

Processes:

LB3.exe

pid	Process
2448	LB3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

LB3.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

189F.tmp

pid	Process
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

LB3.exe

pid	Process
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe
2448	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

189F.tmp

pid	Process
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp
1920	189F.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LB3.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeDebugPrivilege	2448	LB3.exe
Token: 36	2448	LB3.exe
Token: SeImpersonatePrivilege	2448	LB3.exe
Token: SeIncBasePriorityPrivilege	2448	LB3.exe
Token: SeIncreaseQuotaPrivilege	2448	LB3.exe
Token: 33	2448	LB3.exe
Token: SeManageVolumePrivilege	2448	LB3.exe
Token: SeProfSingleProcessPrivilege	2448	LB3.exe
Token: SeRestorePrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSystemProfilePrivilege	2448	LB3.exe
Token: SeTakeOwnershipPrivilege	2448	LB3.exe
Token: SeShutdownPrivilege	2448	LB3.exe
Token: SeDebugPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeBackupPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe
Token: SeSecurityPrivilege	2448	LB3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LB3.exe189F.tmp

description	pid	Process	procid_target
PID 2448 wrote to memory of 1920	2448	LB3.exe	32
PID 2448 wrote to memory of 1920	2448	LB3.exe	32
PID 2448 wrote to memory of 1920	2448	LB3.exe	32
PID 2448 wrote to memory of 1920	2448	LB3.exe	32
PID 2448 wrote to memory of 1920	2448	LB3.exe	32
PID 1920 wrote to memory of 1528	1920	189F.tmp	33
PID 1920 wrote to memory of 1528	1920	189F.tmp	33
PID 1920 wrote to memory of 1528	1920	189F.tmp	33
PID 1920 wrote to memory of 1528	1920	189F.tmp	33

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\ProgramData\189F.tmp
  "C:\ProgramData\189F.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\189F.tmp >> NUL
    3⤵
    PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini

Filesize
129B

MD5
116ecdc25e8aaa68d182cf10ad087455

SHA1
01f849e43834f226c6ab83c1d6b6fe0ecba3561f

SHA256
10f4145fee253d3a3d339afee91159d698f978343fc003360c014e6dd76cb6d8

SHA512
147bd20c3be8f7d7d4296d9894df8954eba7ce6c6a764fe5f8a2d139d9dcf8e532a96bd74f2b41350b734e8e5f4c4ee5be6053ad6dcd0e5593ad12193a910d96

Download Submit
C:\2RhHf8MzI.README.txt

Filesize
316B

MD5
f7c2a71eb88dbc296f6f2219e4f03685

SHA1
894712e61f16fd1221e209ef1793dabb72a14f8c

SHA256
def22d8a877d824871a81902a456d421e81ea2abdf86999669d9a3087d864531

SHA512
852fd2569921b36412413cfb3cc194b089be1383421f3210f22ebb2a796bb53189a95bc7db761ba33d6c345588eb9edd5aa48917dca597eba4c546dcb8ab84d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
145KB

MD5
87d0cb29f8a4bfd48357068fe1fb93a9

SHA1
308bc5c32bdcfbd5301fde612caeb960bf72fd19

SHA256
2d67e1fbbb493ad2affe8e1e1f6100538cb546bdf99ac5403de57cb033039dd5

SHA512
606561dc28c2f9fc902fac661b55e46143ca7dc96be75a31bad95e27af6499b41dcd5c8616c55325e6c87126b53b79ba665d4bfd4ccf44059549b4a892ea3d68

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\DDDDDDDDDDD

Filesize
129B

MD5
e925ba7bc740be495e2b6c017fe41424

SHA1
55730924a76bd0b1732c2431c87eed2f81313f9d

SHA256
9d684bd4cd9f8f31d984237be697fb154908ce3d7cd564593212cbf93ea10e7e

SHA512
49d37890453a0ce864f5bb4925a904b9fd0aeebed88ec0920487eb16fb3647b57846cf41516efc068339371653f0616d1c29af406a9bfb182714c6c4b6e97842

Download Submit
\ProgramData\189F.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1920-854-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1920-856-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1920-855-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1920-853-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1920-888-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1920-887-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2448-0-0x0000000000110000-0x0000000000150000-memory.dmp

Filesize
256KB

Download