Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C77BA865C63AEB9E7 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (821) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\ProgramData\B599.tmp
      "C:\ProgramData\B599.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B599.tmp >> NUL
        3⤵
          PID:1884
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x150
      1⤵
        PID:2304

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\AAAAAAAAAAA
        Filesize

        129B

        MD5

        c3dd3ef78ae09101e939766a48ad754f

        SHA1

        aad64fa59ad2778fcef0e806cac610b15d1e9be2

        SHA256

        74fc8fde0834f6e1bff0097697f9c1c3f3d422ca8733da1a69086521d8368f49

        SHA512

        e515021bc6ddfdf47e54cb2b68c85389a0502dc99f4134dd706bb4af50f85007b2c84feb6a60a3d5c4cb720078f65cfbadd47c6795d62d3a7490f077dd24bebf

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        0d81714d5238e8535ab173285b7a8bda

        SHA1

        870ee5b57d9fa5245978706f81c67867d96cd478

        SHA256

        f97bc5cd317558aa885eff14934e0ad9fafa70dbdec3d96b2844c7dbfd2294aa

        SHA512

        aa9eee6093766e1f3025486086c02c19aaa8cf9b2e470e31747d80753ab002891a944551853a65456334409c9095fe60a13892dc50e4c9d54e8411cddb8c9946

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
        Filesize

        146KB

        MD5

        5614f082881742de4915e702d1c39607

        SHA1

        11721266717fe486864cb60f7110f21d714c40e3

        SHA256

        2f182e89fb8d476fb5bc38d7b4bb89e43801ee050e04fdfcd2c5e746e2d3bc44

        SHA512

        0bc752bdaefa496ff1f7c578fc54787f6ef21f52069d7a5e67f8b8aa9d9a330186d51c9686eb8a55b84451ca86c6191ada047e69be88b200d90a363bf06b546a

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\JJJJJJJJJJJ
        Filesize

        129B

        MD5

        5ab628074292fc5908cc11cfa61bf101

        SHA1

        a5d2386ea6712236a7f7d195c68d435dd785db94

        SHA256

        9e087fe4720b5e52783d6353550406f0be151d7d0d54bbb0550b81ae3c6aef27

        SHA512

        31e730b905dab5c260127de83b13a0f79de44cfd2de922efffc2573e138f37f338f9b86a783da4c473885d92b23a87cfd99f87412b61510bf16386afd2e0b5cb

        Download Submit

      • \ProgramData\B599.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2448-3604-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2448-3606-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2728-0-0x00000000002A0000-0x00000000002E0000-memory.dmp

        Filesize

        256KB

        Download