Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 16:05
Behavioral task
behavioral1
Sample
LB3.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
LB3.exe
Resource
win10v2004-20240709-en
General
-
Target
LB3.exe
-
Size
145KB
-
MD5
1676d013b73a71c5d7a7f8129dce462c
-
SHA1
f7353627f6417b7bbca121b79ccbb206157f1e4a
-
SHA256
aafc63bc6e322b9a5f98cfcce836aab437e1333ed238a63285cf6e5a510fada9
-
SHA512
009230f4f366144aac799bfed06e6ea8ca62843c98e18a8b4d5be164346f1bf1915ab92ba16061bdc9680b48a97c04e933203bd6cf07674933af9b1a283feac9
-
SSDEEP
1536:+zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDBt6+veFX5Ju5PmAiWSVwEydUyz:lqJogYkcSNm9V7DByJA5uAiPuE8T
Malware Config
Signatures
-
Renames multiple (597) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation FD4D.tmp -
Deletes itself 1 IoCs
pid Process 4420 FD4D.tmp -
Executes dropped EXE 1 IoCs
pid Process 4420 FD4D.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini LB3.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP6tkqcyy3qm0md9liok956oq7d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPiagj0pj00y3q3ocrhey10yrgb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP8nhgvap7ic30d7v1v_w_3u8yd.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4912 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1144 ONENOTE.EXE 1144 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe 4732 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp 4420 FD4D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeDebugPrivilege 4732 LB3.exe Token: 36 4732 LB3.exe Token: SeImpersonatePrivilege 4732 LB3.exe Token: SeIncBasePriorityPrivilege 4732 LB3.exe Token: SeIncreaseQuotaPrivilege 4732 LB3.exe Token: 33 4732 LB3.exe Token: SeManageVolumePrivilege 4732 LB3.exe Token: SeProfSingleProcessPrivilege 4732 LB3.exe Token: SeRestorePrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSystemProfilePrivilege 4732 LB3.exe Token: SeTakeOwnershipPrivilege 4732 LB3.exe Token: SeShutdownPrivilege 4732 LB3.exe Token: SeDebugPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeBackupPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe Token: SeSecurityPrivilege 4732 LB3.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE 1144 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4732 wrote to memory of 4936 4732 LB3.exe 88 PID 4732 wrote to memory of 4936 4732 LB3.exe 88 PID 4064 wrote to memory of 1144 4064 printfilterpipelinesvc.exe 91 PID 4064 wrote to memory of 1144 4064 printfilterpipelinesvc.exe 91 PID 4732 wrote to memory of 4420 4732 LB3.exe 92 PID 4732 wrote to memory of 4420 4732 LB3.exe 92 PID 4732 wrote to memory of 4420 4732 LB3.exe 92 PID 4732 wrote to memory of 4420 4732 LB3.exe 92 PID 4420 wrote to memory of 664 4420 FD4D.tmp 100 PID 4420 wrote to memory of 664 4420 FD4D.tmp 100 PID 4420 wrote to memory of 664 4420 FD4D.tmp 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4936
-
-
C:\ProgramData\FD4D.tmp"C:\ProgramData\FD4D.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FD4D.tmp >> NUL3⤵PID:664
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3912
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{567DF357-1765-40B9-8569-1E31AB4A3905}.xps" 1336510117075000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S6Lg3N7cq.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD54a1f475c8bac1b4998aa00b0c5c346c3
SHA151396bb27e24c1580a254510452635ceb83dac9b
SHA256fa2ebd7a6945bb59532e08d71abb4437543e54de976d24f5e66777dd7841c4e8
SHA5122d272af9866dbf84b13360c9206b0af6f938ff40a14c7a7dedaf6b3e0476c676eb361c8279a873a0e12cac169d4b507681f23df2d833a0b40f5a03492face18d
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
289B
MD5343cf231bf640aee5079dafeac910456
SHA1986593eb26aac8592140bc47a677d3a849fd37c6
SHA256e191e18d1f27b1312b9f9599867b4b2bd99ede3af66b50cf91c45300ca49740c
SHA512308507c924fffa902a70343730c416c2d5e19e2958326a90640893a9559ba1e894d17f2e44dcb0b1d9b3b2dd3e3c0e5b9d13c659b90238fc4d497cccd1ca1185
-
Filesize
145KB
MD56e5daed383be3ea62c5df5f54c25fd5a
SHA117ec5a6b41f9fc48da2c21212ee0d392f0f5e22b
SHA256346c53131274a0c5073f17bdf8dcf285ee651e1083d1e73c7900392fbb29074d
SHA51289de03776941e849d7c5db56899b4047f4df1a23aeb913436d2e416e2ab865af1e53c2aec69760c799d98923b42ec08aee901b736229a6d206fd5436939a470b
-
Filesize
129B
MD50dd75409647f082012d002c73d263fcf
SHA1959c8f747652e12bf792c93c3d190936a6d8919a
SHA256cbdda7dda087b968c4b890eec6a71da6d1cacc0417a4d1189d536dc8be7d7687
SHA512fd3a3cac3dc1365d3af33ad7cb483e1de150411dae2f043264758af052506d41d61d57e2d7a3fca68fb80e153bde235f2e791ae767030cccb4795637e9a695f9