Overview

overview

10

Static

static

10

LBB.exe

windows7-x64

10

LBB.exe

windows10-2004-x64

10

Resubmissions

13-07-2024 11:16

240713-ndhmqa1aja 10

11-07-2024 11:04

240711-m6nh1awdmb 10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LBB.exe

  • Size

    156KB

  • MD5

    827fd84e6c235dbb400442390a538441

  • SHA1

    f88eafeeb71837534f32d7de483497d8d74fb279

  • SHA256

    7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea

  • SHA512

    4e6df341e606cdc5ecafd02b7e9ba979502301e5e89aaecf604018d014019ffd6bd26b1380cb316ec1beb8f533df5125e75ec67d8760f7bcd90f883b72199f6b

  • SSDEEP

    3072:1DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368yUTtc76PJCW:n5d/zugZqll3OUCuPJ

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\bMHeBJMks.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 0B4A03D462BADECEC97B6BA25C3CD3C6 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (152) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\LBB.exe
    "C:\Users\Admin\AppData\Local\Temp\LBB.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\ProgramData\B19D.tmp
      "C:\ProgramData\B19D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B19D.tmp >> NUL
        3⤵
          PID:3832
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\YYYYYYYYYYY
      Filesize

      129B

      MD5

      f2361e6155b2f7d10fa227bac2350720

      SHA1

      ab0c202bf044c9ac1f7fea616dcefc2a50092ff2

      SHA256

      47a87b10772bda3b6cf84fd19b08d3f6f15c54be1cc5f95fb0a9d6a3ba765ac1

      SHA512

      149fc1ebe1a18ff1aced77ac4a83e353034bd6278f99ca83e4dcf25ee9f7c27fd672e60026f8e7e132cb6d6d4002a53f7c2f43b429acf6047cc11a988d4b3afc

      Download Submit

    • C:\ProgramData\B19D.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      156KB

      MD5

      b59f740ee04aa72ef2c33a5f012f480c

      SHA1

      ac1afc2cc7176be81d61c4ccce0bd8cc06d69652

      SHA256

      c1bbb72612c335de4635d49c5521545b89fea64d3bcef0b688c3415c831d8332

      SHA512

      7d0ae4ab81cf34a9eca3aa62aff576f940bcc8baa4b514e2b24bce16b51ff4f22dbac08bcf559bd16ecd01c5e52ec3f4a0b7481dca0fbec7b1e400562fdc764f

      Download Submit

    • C:\Users\bMHeBJMks.README.txt
      Filesize

      2KB

      MD5

      2df779da7c4b4a475396eacf01460a62

      SHA1

      109b0d207c757982b4911af968c34c6d3d877f8a

      SHA256

      ff1df5cdad0e671bb800b0d39d6dc81ef8d5adfd831803a9a5b6f5e0a8b686ea

      SHA512

      03edb1685c3d3d12c714e2993d570a84dc5c8f52c64d0514c8b4b2dd2f6acb5a05ebc291e5e395d7a4cd7978343692c30707bdf3f3dcc5bd742716b004411c62

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\EEEEEEEEEEE
      Filesize

      129B

      MD5

      d2c50c65d8c51c0e199a8e8016b8b9ca

      SHA1

      32a12833d2e0c14c7ef57f0c03a6431b77cf127f

      SHA256

      3b296b05fa1b2a7b67adf70ed726a0667afd13be2ee15feef110957a493f41c5

      SHA512

      81f0e2f69e46e207a6a18b486ccd8950da57de761ed2fe75d766a4f09fb033aa37a92164b199a08637246ab01a1562d0091297dd8ff4f5600d8d8090dd0682ee

      Download Submit

    • memory/3128-310-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3128-309-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3128-308-0x0000000002720000-0x0000000002730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3128-307-0x0000000002720000-0x0000000002730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3128-306-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3128-339-0x0000000002720000-0x0000000002730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3128-340-0x0000000002720000-0x0000000002730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3128-343-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3128-344-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3192-0-0x0000000003680000-0x0000000003690000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3192-1-0x0000000003680000-0x0000000003690000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3192-2-0x0000000003680000-0x0000000003690000-memory.dmp

      Filesize

      64KB

      Download