7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea

Resubmissions

13-07-2024 11:16

240713-ndhmqa1aja 10

11-07-2024 11:04

240711-m6nh1awdmb 10

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LBB.exe
Size

156KB
MD5

827fd84e6c235dbb400442390a538441
SHA1

f88eafeeb71837534f32d7de483497d8d74fb279
SHA256

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea
SHA512

4e6df341e606cdc5ecafd02b7e9ba979502301e5e89aaecf604018d014019ffd6bd26b1380cb316ec1beb8f533df5125e75ec67d8760f7bcd90f883b72199f6b
SSDEEP

3072:1DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368yUTtc76PJCW:n5d/zugZqll3OUCuPJ

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\bMHeBJMks.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 0B4A03D462BADECE62647A2E7369150C << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

232.tmp

pid	Process
2976	232.tmp

Executes dropped EXE 1 IoCs

Processes:

232.tmp

pid	Process
2976	232.tmp

Loads dropped DLL 1 IoCs

Processes:

LBB.exe

pid	Process
1792	LBB.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

LBB.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini	LBB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini	LBB.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LBB.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bMHeBJMks.bmp"	LBB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bMHeBJMks.bmp"	LBB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

LBB.exe232.tmp

pid	Process
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

LBB.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop	LBB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallpaperStyle = "10"	LBB.exe

Modifies registry class 5 IoCs

Processes:

LBB.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon	LBB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks	LBB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon\ = "C:\\ProgramData\\bMHeBJMks.ico"	LBB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks	LBB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks\ = "bMHeBJMks"	LBB.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

LBB.exe

pid	Process
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe
1792	LBB.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

232.tmp

pid	Process
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp
2976	232.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LBB.exevssvc.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeDebugPrivilege	1792	LBB.exe
Token: 36	1792	LBB.exe
Token: SeImpersonatePrivilege	1792	LBB.exe
Token: SeIncBasePriorityPrivilege	1792	LBB.exe
Token: SeIncreaseQuotaPrivilege	1792	LBB.exe
Token: 33	1792	LBB.exe
Token: SeManageVolumePrivilege	1792	LBB.exe
Token: SeProfSingleProcessPrivilege	1792	LBB.exe
Token: SeRestorePrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSystemProfilePrivilege	1792	LBB.exe
Token: SeTakeOwnershipPrivilege	1792	LBB.exe
Token: SeShutdownPrivilege	1792	LBB.exe
Token: SeDebugPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	2148	vssvc.exe
Token: SeRestorePrivilege	2148	vssvc.exe
Token: SeAuditPrivilege	2148	vssvc.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeSecurityPrivilege	1792	LBB.exe
Token: SeBackupPrivilege	1792	LBB.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LBB.exe232.tmp

description	pid	Process	procid_target
PID 1792 wrote to memory of 2976	1792	LBB.exe	34
PID 1792 wrote to memory of 2976	1792	LBB.exe	34
PID 1792 wrote to memory of 2976	1792	LBB.exe	34
PID 1792 wrote to memory of 2976	1792	LBB.exe	34
PID 1792 wrote to memory of 2976	1792	LBB.exe	34
PID 2976 wrote to memory of 2440	2976	232.tmp	35
PID 2976 wrote to memory of 2440	2976	232.tmp	35
PID 2976 wrote to memory of 2440	2976	232.tmp	35
PID 2976 wrote to memory of 2440	2976	232.tmp	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\LBB.exe
"C:\Users\Admin\AppData\Local\Temp\LBB.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\ProgramData\232.tmp
  "C:\ProgramData\232.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\232.tmp >> NUL
    3⤵
    PID:2440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini

Filesize
129B

MD5
f0c28d2bb8ac148c65f76362dcdfb4ac

SHA1
cab58c0cb5b64e5c11e362d1d2565b14ad2943e1

SHA256
a175f19d3c2a3cc79b54bd2a8d066cf30e020dc0f34b10a37a713bf73f7b2016

SHA512
9756caa8b8daa289d1cfabc7a1cce23518f5f9fe03a961b7ccc8603e677b6d52386a04652d31a559ed83b853748ab0b8a6f983d2cf3bcee343dcc8c5690900a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
156KB

MD5
da5991b29907153cc19161d3dfd00ba9

SHA1
172c776a765ac3298a92314bb984a015a296e657

SHA256
29316b414561cc5b3a4358cb7676a69f37d25f102ac6592f12f3c251e1b80261

SHA512
4b0cd079b462ce4858db72e9f0c99536cbe0d1b3d3db6f8ef11a2ab532bc4a6aca7082a4873df2123e55d4d7a3b3aab21bb0cb777a7432bd2fea738b2e6d4ec9

Download Submit
C:\Users\bMHeBJMks.README.txt

Filesize
2KB

MD5
f16a6f90e31ec5fea4419b7f82f974b7

SHA1
f2d9a78deeefc5eab6f3a1aa1bc823d8b82de161

SHA256
e56ea569ce60f9b7aac66a78d2aaa2559040e044f886de6abcdf320aea79292e

SHA512
a2c28ca0251674f7e8850e2c02c244c2e2660a4edc67898de8fb047a2dc23bd6c3a8cac46ef66a35e5093669686336134dbb844afaab3956e01a037c130af8f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\DDDDDDDDDDD

Filesize
129B

MD5
a72f1d0ad43902947b1d4c5b3d5d2564

SHA1
f11fcdcde2da610c30f09488ac5a5285bccb38db

SHA256
66735c686b29fea8f502c750074bbe61381aae4397d7cb5fe761397d17e9fc8d

SHA512
796e3998ff056a2dbc31089c609e92b9bffea6177f34122e1a58323ad08fafdf364187c86d1c3c13f7c247cfc1e21e20d43c639f0447fb036ed4859fe158aa73

Download Submit
\ProgramData\232.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1792-0-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/2976-277-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2976-276-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2976-275-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2976-274-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2976-309-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2976-308-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download