7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea

Resubmissions

13-07-2024 11:16

240713-ndhmqa1aja 10

11-07-2024 11:04

240711-m6nh1awdmb 10

Analysis

max time kernel
242s
max time network
245s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LBB.exe
Size

156KB
MD5

827fd84e6c235dbb400442390a538441
SHA1

f88eafeeb71837534f32d7de483497d8d74fb279
SHA256

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea
SHA512

4e6df341e606cdc5ecafd02b7e9ba979502301e5e89aaecf604018d014019ffd6bd26b1380cb316ec1beb8f533df5125e75ec67d8760f7bcd90f883b72199f6b
SSDEEP

3072:1DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368yUTtc76PJCW:n5d/zugZqll3OUCuPJ

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\bMHeBJMks.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 0B4A03D462BADECEEB19C5B6DFC67218 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

ED6B.tmp

pid	Process
2644	ED6B.tmp

Executes dropped EXE 1 IoCs

Processes:

ED6B.tmp

pid	Process
2644	ED6B.tmp

Loads dropped DLL 1 IoCs

Processes:

LBB.exe

pid	Process
2556	LBB.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

LBB.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	LBB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	LBB.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LBB.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bMHeBJMks.bmp"	LBB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bMHeBJMks.bmp"	LBB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

LBB.exeED6B.tmp

pid	Process
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp

Modifies Control Panel 2 IoCs

evasion

Processes:

LBB.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop	LBB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10"	LBB.exe

Modifies registry class 5 IoCs

Processes:

LBB.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon	LBB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks	LBB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon\ = "C:\\ProgramData\\bMHeBJMks.ico"	LBB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks	LBB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks\ = "bMHeBJMks"	LBB.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

LBB.exe

pid	Process
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe
2556	LBB.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

ED6B.tmp

pid	Process
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp
2644	ED6B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LBB.exevssvc.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeDebugPrivilege	2556	LBB.exe
Token: 36	2556	LBB.exe
Token: SeImpersonatePrivilege	2556	LBB.exe
Token: SeIncBasePriorityPrivilege	2556	LBB.exe
Token: SeIncreaseQuotaPrivilege	2556	LBB.exe
Token: 33	2556	LBB.exe
Token: SeManageVolumePrivilege	2556	LBB.exe
Token: SeProfSingleProcessPrivilege	2556	LBB.exe
Token: SeRestorePrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSystemProfilePrivilege	2556	LBB.exe
Token: SeTakeOwnershipPrivilege	2556	LBB.exe
Token: SeShutdownPrivilege	2556	LBB.exe
Token: SeDebugPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeSecurityPrivilege	2556	LBB.exe
Token: SeBackupPrivilege	2556	LBB.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

LBB.exe

description	pid	Process	procid_target
PID 2556 wrote to memory of 2644	2556	LBB.exe	34
PID 2556 wrote to memory of 2644	2556	LBB.exe	34
PID 2556 wrote to memory of 2644	2556	LBB.exe	34
PID 2556 wrote to memory of 2644	2556	LBB.exe	34
PID 2556 wrote to memory of 2644	2556	LBB.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\LBB.exe
"C:\Users\Admin\AppData\Local\Temp\LBB.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\ProgramData\ED6B.tmp
  "C:\ProgramData\ED6B.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini

Filesize
129B

MD5
dd943bcc01d54dadef857e10c76ade08

SHA1
180ea4f113a1f5a31d43bb679e711961a9aa062f

SHA256
9e10c79c294a6a6697c735cbd103a5bb951d2d400acc8e7efd226ebf3e028378

SHA512
6045f1bbab8c0aaabd313327b6c538296dfa3e0ee6eae900df33a97137255d68c2761932739c7f45560c15ba4f30744cd21b20f8d828b378b716dc20b3962a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
156KB

MD5
f300230bf4249a9e450f710854753085

SHA1
a06e51926093314b9e694f3a86607cceb1055d75

SHA256
366d792f343b32bd7c88d7281c509875f6c6b86d4e78a87fe2a6bf276a832a36

SHA512
edfd1df55aaa76aa594d01b4cb4931d6eff71a401b6c3976c355ebfad93f4f85a5b71fa8253dc3fbecf8660936d2a78854a5283509f6d6f215ad70b231a3df3c

Download Submit
C:\Users\bMHeBJMks.README.txt

Filesize
2KB

MD5
3be83225051dc17c3e6a9f86f7eb82ed

SHA1
13bc52c99e6f62aaf0e00b56b20758e9de67e56e

SHA256
f67b50fae8fbbb85b752b82dcafd889096538abca9b1588dd39e1354724d313a

SHA512
13815d7b723ac098f43b6db99326fc448371031475a1f760dd527bf9ba55ec78655e7038dfa3485aca2b625286ed2791b8648cd0235eeb590e2cb407b2d93fd7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\DDDDDDDDDDD

Filesize
129B

MD5
8125eb0fb11c857a32cc55eb020e9448

SHA1
997b1c38ddce60d8e58f54f0576dca99797118d2

SHA256
247666e0b5ccc491dfee390e344124857ca8ee7f3ffeb4dfa4f91ce2486efe2c

SHA512
019a8f82c98fc73fc405f26b091615001f5d8286282117b0005fb6caa536e538fa08162cf238d13988955e8e5ff4434256925e4aab6aaa5ddd7a2b5a59d87adb

Download Submit
\ProgramData\ED6B.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2556-0-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2644-300-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2644-299-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2644-298-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2644-297-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download