Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-1703-x64

10

LB3.exe

windows10-2004-x64

10

Resubmissions

14-07-2024 13:00

240714-p8n9es1elq 10

14-07-2024 13:00

240714-p8metstdra 10

18-06-2024 22:58

240618-2xvnaasglk 10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CCC421FD6AD5FE766 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (630) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2132
    • C:\ProgramData\992E.tmp
      "C:\ProgramData\992E.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\992E.tmp >> NUL
        3⤵
          PID:1396
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:2064
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{338862C5-BDF4-44C3-A1A4-2E22942BFB28}.xps" 133654356201280000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:4012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\PPPPPPPPPPP
        Filesize

        129B

        MD5

        0eefb8afd579a9ec6e32f2c7e4be7f33

        SHA1

        7e74f5be15ad8b4e1ed99770fae8099cde04156a

        SHA256

        c03efaca0224e753b0d079a25c770bf17403af30b192f4bc58729a40ee8308b0

        SHA512

        ae7d07432433a859332edf942a31daeb9cc3ed1ca4907b9d2090a532d12bb489460f3e5bd1356d33b009df83bbff4b125a0dbc3bd7c285a25015f142e343b22f

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        c881a1b89a5a8a9d0a62b8d39b312c0f

        SHA1

        a0ac7291d7931d0d0c75071f4d8fc46172f57a38

        SHA256

        ce39f1506f1d56a06c4be84098a6099f7e92687f144ce6c0dd7740a464b7c6f4

        SHA512

        e0e535f26bae8889ef6255a4c31085d34a9e7ec5212df9bc35f2682d034fe95e3153031cb59217bc945887b02815abc56cba74d687270dc09cbe0664eb216502

        Download Submit

      • C:\ProgramData\992E.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
        Filesize

        146KB

        MD5

        29c6b35b32de16a0b5843a174f6dcc0e

        SHA1

        79df3962b01c9cc1d53fba4eeab973b489702c64

        SHA256

        960a495fffc84ef58b80a21508017863a476389256463ac868e013cca863b14c

        SHA512

        6f4be9eba9a04bd1e2ac6934ea24b88575641b09a761be1c0749ae2fa087b7128cc4e2f546db57c2bfda140a4482786e2d99ed26264b4858cd20b316a1d16770

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        1c5b85eef108e5d07db5ccc2811c60ad

        SHA1

        80a237e427dcedacf74a58497f4e67fd88178a64

        SHA256

        03c421b83b5d8dbe48ba4df4c30039122321bd48da1c79c0d059cba64c84a63b

        SHA512

        50ae04d5edcbe20328b99d6043bfa6e1545ed7e066d0d515999f990d25ca4f4525946006cbfdaa2d28d9f1d775a466a4f07226daa4eb14e872ad3a1fdf1eef6f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        75bdd79feb05cfee2011572eaf0e7a2e

        SHA1

        1474d6de1237494639cce6cfad484e16cc42b5d1

        SHA256

        14d151a92dd614647344e4ceb50b1d75dfe1691f0ae0b73b0bde0ec455e8c027

        SHA512

        bee04087ffdd7d7bbb08c72b530772a78b099ccd7c49839f533f8a50cb4d4bf10276bdb058e28b3c0bbe795fd1f6b94116080a8f389a4494ddd5903a13e852ee

        Download Submit

      • memory/4012-2819-0x00007FF860150000-0x00007FF860160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2820-0x00007FF860150000-0x00007FF860160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2821-0x00007FF860150000-0x00007FF860160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2818-0x00007FF860150000-0x00007FF860160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2816-0x00007FF860150000-0x00007FF860160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2850-0x00007FF85E0F0000-0x00007FF85E100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2851-0x00007FF85E0F0000-0x00007FF85E100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4580-0-0x0000000002D40000-0x0000000002D50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4580-1-0x0000000002D40000-0x0000000002D50000-memory.dmp

        Filesize

        64KB

        Download