Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-1703-x64

10

LB3.exe

windows10-2004-x64

10

LB3.exe

windows11-21h2-x64

10

Resubmissions

14-07-2024 13:00

240714-p8n9es1elq 10

14-07-2024 13:00

240714-p8metstdra 10

18-06-2024 22:58

240618-2xvnaasglk 10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CDB52081011E922F7 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (619) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3180
    • C:\ProgramData\E0BC.tmp
      "C:\ProgramData\E0BC.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E0BC.tmp >> NUL
        3⤵
          PID:2216
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1536
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{244CA781-401F-4D04-8954-88C1F1F0C43B}.xps" 133654356234330000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\BBBBBBBBBBB
        Filesize

        129B

        MD5

        e7b05fe9cd4d8a818dd130ed5fdf384c

        SHA1

        ff09ecbf5b64cac2fae3c7459b95e26fd16f657d

        SHA256

        d768337ecb054bb1f21d48222d1483e39736de8092580c0d9afcc0adbe68e642

        SHA512

        1b9670b5a720d916dbae15ac76acbeb58cdf4d16f4eac42f62805c58e529eee5e6ceb754dded9041878bb62644e6a4d3dd6ad56f60d5ef2198e402fd93e28d9b

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        736a444ed4cd4b187d5a57befa0931a8

        SHA1

        a3b181f88ed111931ac0568bd3ea38da8356a60d

        SHA256

        42b0b8b673731ce75403e378f8876ad6d759df8d6db72e047e28e0de1d00d8c9

        SHA512

        d5aa992908ed4979d83d9fff7450c0375a8176b7cc5c049def948213a92965c58873198b3d2fb41008900fb92aa4be0f26e6d1d237c8002d92f2685cd8c74939

        Download Submit

      • C:\ProgramData\E0BC.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CCCCCCC
        Filesize

        146KB

        MD5

        5ff08a563a83f2240c5f4795c33232b6

        SHA1

        ccc1e401416e06f5b1de71b7bda512d44d5e07d5

        SHA256

        ab76e40ae9050e5a877e43c8ac5ef46d229cdb62a1400dd82f3e2f27d322aa7e

        SHA512

        725ec660a6552f693f1cabbcca4f8e7665ea66e2b9a88a5be44dddcc2db2c849378c0e537e1fb739fdcd83ab4cb2acabb0ae99e50d899177042fa944f6cdd67a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{005BBF36-4B68-4147-B322-18C17BCA803D}
        Filesize

        4KB

        MD5

        fda7b5d67ecce8cfc1c1018f777a111b

        SHA1

        922eb8b0e3d27dcf31c96e486e0f1bf550b7b577

        SHA256

        7d21c7ffad2b4723b45f249c4fe3fb1aae107a98c88e6e8f1315d157010fc0bf

        SHA512

        fbf275951d7dd504d995d6dfd4bb9bb81156a7d857e21311f76e9a8694b12b6b4ecae95e1d10ed28e53b8486b113c2bd4cd15115e98723f51dd054ec5c094110

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2990742725-2267136959-192470804-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        7b3d79fd9363e5baa2be8f64bbbe2f27

        SHA1

        8c6e86d509e499c9d1f4c41cc17a69f88adec822

        SHA256

        6f4aaec903f9c4e9c2969c860ee285a765087bed502cf6761ae23d608d905264

        SHA512

        e3f65b404d6c6cf41faa414932ed01515e6ae627950215f3af6bb4ac53788b4fa50c5b37b01e97456b520154c90a8e65d91ae90b992196e99983867545aa454b

        Download Submit

      • memory/208-2963-0x00007FFF88C90000-0x00007FFF88CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/208-2968-0x00007FFF88C90000-0x00007FFF88CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/208-2969-0x00007FFF88C90000-0x00007FFF88CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/208-2967-0x00007FFF88C90000-0x00007FFF88CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/208-2970-0x00007FFF88C90000-0x00007FFF88CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/208-2999-0x00007FFF863E0000-0x00007FFF863F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/208-3000-0x00007FFF863E0000-0x00007FFF863F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3288-0-0x0000000002B30000-0x0000000002B40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3288-2-0x0000000002B30000-0x0000000002B40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3288-1-0x0000000002B30000-0x0000000002B40000-memory.dmp

        Filesize

        64KB

        Download