aafc63bc6e322b9a5f98cfcce836aab437e1333ed238a63285cf6e5a510fada9

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

145KB
MD5

1676d013b73a71c5d7a7f8129dce462c
SHA1

f7353627f6417b7bbca121b79ccbb206157f1e4a
SHA256

aafc63bc6e322b9a5f98cfcce836aab437e1333ed238a63285cf6e5a510fada9
SHA512

009230f4f366144aac799bfed06e6ea8ca62843c98e18a8b4d5be164346f1bf1915ab92ba16061bdc9680b48a97c04e933203bd6cf07674933af9b1a283feac9
SSDEEP

1536:+zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDBt6+veFX5Ju5PmAiWSVwEydUyz:lqJogYkcSNm9V7DByJA5uAiPuE8T

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (892) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2140	F798.tmp

Executes dropped EXE 1 IoCs

pid	Process
2140	F798.tmp

Loads dropped DLL 1 IoCs

pid	Process
3024	LB3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe
3024	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp
2140	F798.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeDebugPrivilege	3024	LB3.exe
Token: 36	3024	LB3.exe
Token: SeImpersonatePrivilege	3024	LB3.exe
Token: SeIncBasePriorityPrivilege	3024	LB3.exe
Token: SeIncreaseQuotaPrivilege	3024	LB3.exe
Token: 33	3024	LB3.exe
Token: SeManageVolumePrivilege	3024	LB3.exe
Token: SeProfSingleProcessPrivilege	3024	LB3.exe
Token: SeRestorePrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSystemProfilePrivilege	3024	LB3.exe
Token: SeTakeOwnershipPrivilege	3024	LB3.exe
Token: SeShutdownPrivilege	3024	LB3.exe
Token: SeDebugPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeBackupPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe
Token: SeSecurityPrivilege	3024	LB3.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2140	3024	LB3.exe	33
PID 3024 wrote to memory of 2140	3024	LB3.exe	33
PID 3024 wrote to memory of 2140	3024	LB3.exe	33
PID 3024 wrote to memory of 2140	3024	LB3.exe	33
PID 3024 wrote to memory of 2140	3024	LB3.exe	33

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\ProgramData\F798.tmp
  "C:\ProgramData\F798.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:2140

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini

Filesize
129B

MD5
a55fc4523bc01bbafe79fdc05654e570

SHA1
4067cb6fa38af6cd13fefb998ba3a1a4f0e50ec2

SHA256
76745aeabb24d49e85cf577826cd31e594b48e46d51cae8d62a77b06642a3c63

SHA512
21bed44c44cb7c0391a9a11340f3c7c17673acef8c54cdcbe9a1241a25e04b7756d4d5f29ee8aaec5cb9bd50615ac0248fc72a9bae565e348187e40f6b73aa7a

Download Submit
C:\S6Lg3N7cq.README.txt

Filesize
289B

MD5
343cf231bf640aee5079dafeac910456

SHA1
986593eb26aac8592140bc47a677d3a849fd37c6

SHA256
e191e18d1f27b1312b9f9599867b4b2bd99ede3af66b50cf91c45300ca49740c

SHA512
308507c924fffa902a70343730c416c2d5e19e2958326a90640893a9559ba1e894d17f2e44dcb0b1d9b3b2dd3e3c0e5b9d13c659b90238fc4d497cccd1ca1185

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
145KB

MD5
bdd7f5afd724aa81b300a06ccaee4b91

SHA1
8da0a36b838af533e03dcd5cb5b684389365121e

SHA256
fd50501e13c87be023a3a70244d5a67c5db78cbfae08e0a0406dbc5b3b1e7ab5

SHA512
39556efe31cf6905d8e660e14d94efcca4abf59d571135a324bb237ff469be0ae5836e1e2480f42fe21f0be96a25eb214402c735f3eaaa3b0284a93f874b733a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\DDDDDDDDDDD

Filesize
129B

MD5
ac8699f49c01cdc0cc237ed3148dff2f

SHA1
ecbb419cf180972a0465894f5461f7600e303660

SHA256
cea7038d6ab7286784e81bd2a357d8aa216e73ccc25a64c4df050b692f13ed21

SHA512
d37fbed2895afbc21dcbd420bd2d73815565036ea2178efd7d775361aa482398509b9e3fe4f6cc51de3bbe9c4dcda73b1e477bfbf2a9771cce0f00fa8c596f18

Download Submit
\ProgramData\F798.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2140-3671-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2140-3673-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2140-3702-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3024-0-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download