Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-1703-x64

10

LB3.exe

windows10-2004-x64

10

LB3.exe

windows11-21h2-x64

10

Resubmissions

14-07-2024 13:00

240714-p8n9es1elq 10

14-07-2024 13:00

240714-p8metstdra 10

18-06-2024 22:58

240618-2xvnaasglk 10

Analysis

  • max time kernel
    143s
  • max time network
    138s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-07-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C9998D85EC552B14B >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (587) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2592
    • C:\ProgramData\D5FE.tmp
      "C:\ProgramData\D5FE.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D5FE.tmp >> NUL
        3⤵
          PID:1184
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4484
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4AD2A31E-0BA6-4EA1-85D1-07382EDB3D5F}.xps" 133654356212770000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3688

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-95457810-830748662-4054918673-1000\AAAAAAAAAAA
        Filesize

        129B

        MD5

        13940617ff5b0d2bfefca712872116c7

        SHA1

        81d0082156ae8a7be6182f9aa0ef33f8ca2a87e1

        SHA256

        6ab2f4a21166ce1da9bd91c3f77fb162fd57135816e87e0d419705f7a1c3ada8

        SHA512

        fba09418771c2b7d31673f148b1b6009362ad89bcec2aca39f60d5dda2c75ed06c89d6ec1394806f43a6ed78f93b280601c2f0d84b996285e6b3428926f7c953

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        cbf0d4c25c5b1ba463485440d9917c49

        SHA1

        98163c7b93b587cda6bf1707939a287d81261a33

        SHA256

        709744f105cd9265332d60dc63e201b94302a3b0046046bda3d72d16e0c0e14f

        SHA512

        ad4681d49cb6fab37d15afd47990b3a0040f545d4ba7abae906532709a69243c81315fa24ddfe86fcb6deb3c3458dd3227a4b66d28408a9aa03976f3542da654

        Download Submit

      • C:\ProgramData\D5FE.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
        Filesize

        146KB

        MD5

        0fcf148717bbbb8eaee11ef5cfb7d78c

        SHA1

        d2234d9342d082eda94c93293683438356bfc9b3

        SHA256

        83842ec10b5b1f145d04262dd7f9e3f5bcdffc96ee62c1b9d1c299bb60e28efe

        SHA512

        4943cfd725eb7c6b915524b820600d2b61ac517553b96660d59d758764383ed203723db7cfe1d75974afc48391d5218f5103f8a25a09878803177c45476e4fd5

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        d737492a7cdec53b090ac1dea1c074d2

        SHA1

        25878294e164dbde6032415298ed3f63b84de757

        SHA256

        4fed82082d472825f7bde916a8cca8eea732c5cd51c208930f5e13cf4608b11a

        SHA512

        416f0b6ab9ced25634f3f3957dd6a19827ecc6bbea94d2289e22da06f858991e0456e9aa6b823bebbfcd2eae9c5499bd08ed88b4b46f8473174f87295b117d91

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-95457810-830748662-4054918673-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        0415614519051b840e339e3ca4c8e823

        SHA1

        7404a4360aaf86add5c5a1a147ebd7daf340cf7e

        SHA256

        d80c6d0030199b209dae16d266bb818398b1fdacaab663405995324ded823b3a

        SHA512

        37e1af86ad5ac5c736b59c4b66ec3aee5708d5bbc30a855eb1fe2bac091aa2c67e71dc54ccf298dfc2a39038e99cc525216c594c8bae6ba256dd7344c7dbc352

        Download Submit

      • memory/1412-0-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-1-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2756-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2757-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2758-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2755-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2754-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2787-0x00007FFF41FA0000-0x00007FFF41FB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-2788-0x00007FFF41FA0000-0x00007FFF41FB0000-memory.dmp

        Filesize

        64KB

        Download