Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-1703-x64

10

LB3.exe

windows10-2004-x64

10

Resubmissions

14-07-2024 13:00

240714-p8n9es1elq 10

14-07-2024 13:00

240714-p8metstdra 10

18-06-2024 22:58

240618-2xvnaasglk 10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C69CBDA91F2A88294 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (315) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\ProgramData\511C.tmp
      "C:\ProgramData\511C.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\511C.tmp >> NUL
        3⤵
          PID:948
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:1692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\HHHHHHHHHHH
        Filesize

        129B

        MD5

        031a29b55f791cfa422c4616c3a37eba

        SHA1

        0f0a14d9b821013e8d7195a3c80d054d08cc7a36

        SHA256

        3b7737211c739ccf7773db2f23f68eefa89aa10fa716038f70d9563326c5e14c

        SHA512

        910fecdbc3b4befe7d2484d1107a026c7c4cba1a5da09f1fd0178202e4a88b6564b64ddceceea4e5771e7ad5aa6b72fa23a945f95a0e512f5217a7364d52514b

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        2b80da09ebb77d6054a8188c9911beb4

        SHA1

        8c50a3aadd0b5d1d2aabe6aca426aabf86662f3d

        SHA256

        5b6f10be14cf6b30143e9921d44bc6a276f0181931fc4198c2d66e876bd19189

        SHA512

        63fdf1f5cbe607626912f200dfe4f11d1c5143d04c8f0fbaae33a5a076ae648c7584397166f3f9354c12e52b3e2c6f5299fe95f611c8d21e5a5c6d42cca037c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
        Filesize

        146KB

        MD5

        0089cc9c07788ab17adccdee8b365faa

        SHA1

        7b90e8fc5ac1aeefeae8f3032817637df5d7f912

        SHA256

        d36e43e9e4905ed7a8a8b887037da133542a84ef0465a09b953d2d75cbb81935

        SHA512

        b2298c6007a690758b0329561fd0aac25d031936dd12abb96ecdc38aa3981231e0cf48130bde33fb7039c80be48f011129b0379c41d19873e0a3f4dd353e8676

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\IIIIIIIIIII
        Filesize

        129B

        MD5

        a683ab5f2ab0ea6a5bbfd0874b9eab2a

        SHA1

        fe09b80ce6fa9bde951b45e2c2fdd8a4cc106885

        SHA256

        dd41583717c8e391e66d88e3df976b3da2d752be4cccf8f37c42dadbad9e7fcd

        SHA512

        a220dbd3b5edfefd7465056417678acbbf52ce58c874efc23706b4e1dbd7c2c8a611cbcf9caec362441a9fa016858b2b8ac9bd2e00d69bee1cca30cd985eee01

        Download Submit

      • \ProgramData\511C.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2492-849-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2492-850-0x0000000000A40000-0x0000000000A80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2492-852-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2492-851-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2492-882-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2492-881-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-0-0x0000000000490000-0x00000000004D0000-memory.dmp

        Filesize

        256KB

        Download