Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 16:05

General

  • Target

    LB3.exe

  • Size

    145KB

  • MD5

    1676d013b73a71c5d7a7f8129dce462c

  • SHA1

    f7353627f6417b7bbca121b79ccbb206157f1e4a

  • SHA256

    aafc63bc6e322b9a5f98cfcce836aab437e1333ed238a63285cf6e5a510fada9

  • SHA512

    009230f4f366144aac799bfed06e6ea8ca62843c98e18a8b4d5be164346f1bf1915ab92ba16061bdc9680b48a97c04e933203bd6cf07674933af9b1a283feac9

  • SSDEEP

    1536:+zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDBt6+veFX5Ju5PmAiWSVwEydUyz:lqJogYkcSNm9V7DByJA5uAiPuE8T

Malware Config

Signatures

  • Renames multiple (597) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4936
    • C:\ProgramData\FD4D.tmp
      "C:\ProgramData\FD4D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FD4D.tmp >> NUL
        3⤵
          PID:664
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3912
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{567DF357-1765-40B9-8569-1E31AB4A3905}.xps" 133651011707500000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1144
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S6Lg3N7cq.README.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini

        Filesize

        129B

        MD5

        4a1f475c8bac1b4998aa00b0c5c346c3

        SHA1

        51396bb27e24c1580a254510452635ceb83dac9b

        SHA256

        fa2ebd7a6945bb59532e08d71abb4437543e54de976d24f5e66777dd7841c4e8

        SHA512

        2d272af9866dbf84b13360c9206b0af6f938ff40a14c7a7dedaf6b3e0476c676eb361c8279a873a0e12cac169d4b507681f23df2d833a0b40f5a03492face18d

      • C:\ProgramData\FD4D.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\S6Lg3N7cq.README.txt

        Filesize

        289B

        MD5

        343cf231bf640aee5079dafeac910456

        SHA1

        986593eb26aac8592140bc47a677d3a849fd37c6

        SHA256

        e191e18d1f27b1312b9f9599867b4b2bd99ede3af66b50cf91c45300ca49740c

        SHA512

        308507c924fffa902a70343730c416c2d5e19e2958326a90640893a9559ba1e894d17f2e44dcb0b1d9b3b2dd3e3c0e5b9d13c659b90238fc4d497cccd1ca1185

      • C:\Users\Admin\AppData\Local\Temp\EEEEEEE

        Filesize

        145KB

        MD5

        6e5daed383be3ea62c5df5f54c25fd5a

        SHA1

        17ec5a6b41f9fc48da2c21212ee0d392f0f5e22b

        SHA256

        346c53131274a0c5073f17bdf8dcf285ee651e1083d1e73c7900392fbb29074d

        SHA512

        89de03776941e849d7c5db56899b4047f4df1a23aeb913436d2e416e2ab865af1e53c2aec69760c799d98923b42ec08aee901b736229a6d206fd5436939a470b

      • F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        0dd75409647f082012d002c73d263fcf

        SHA1

        959c8f747652e12bf792c93c3d190936a6d8919a

        SHA256

        cbdda7dda087b968c4b890eec6a71da6d1cacc0417a4d1189d536dc8be7d7687

        SHA512

        fd3a3cac3dc1365d3af33ad7cb483e1de150411dae2f043264758af052506d41d61d57e2d7a3fca68fb80e153bde235f2e791ae767030cccb4795637e9a695f9

      • memory/1144-2948-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-3016-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-2951-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-2950-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-2949-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-3013-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-2954-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-3014-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/1144-2981-0x00007FFEF78C0000-0x00007FFEF78D0000-memory.dmp

        Filesize

        64KB

      • memory/1144-2982-0x00007FFEF78C0000-0x00007FFEF78D0000-memory.dmp

        Filesize

        64KB

      • memory/1144-3015-0x00007FFEFA0F0000-0x00007FFEFA100000-memory.dmp

        Filesize

        64KB

      • memory/4732-1-0x0000000003080000-0x0000000003090000-memory.dmp

        Filesize

        64KB

      • memory/4732-0-0x0000000003080000-0x0000000003090000-memory.dmp

        Filesize

        64KB

      • memory/4732-2-0x0000000003080000-0x0000000003090000-memory.dmp

        Filesize

        64KB