Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2024 13:02
Behavioral task
behavioral1
Sample
LB3.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
LB3.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
LB3.exe
-
Size
146KB
-
MD5
2357ecbcf3b566c76c839daf7ecf2681
-
SHA1
89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
-
SHA256
0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
-
SHA512
bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU
Malware Config
Extracted
C:\7V7uPExzv.README.txt
http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/
http://group.goocasino.org
https://nullbulge.com
Signatures
-
Renames multiple (633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DFF1.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation DFF1.tmp -
Deletes itself 1 IoCs
Processes:
DFF1.tmppid Process 4336 DFF1.tmp -
Executes dropped EXE 1 IoCs
Processes:
DFF1.tmppid Process 4336 DFF1.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
LB3.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini LB3.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPn3pd98365a24b6geix3bp0ho.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP_wuxavnx5yrzft79ggiy8zxuc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPlpgu0qu7pwu801jb95svepvxd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
LB3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7V7uPExzv.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7V7uPExzv.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
LB3.exeDFF1.tmppid Process 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 4336 DFF1.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
LB3.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
Processes:
LB3.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv\ = "7V7uPExzv" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon\ = "C:\\ProgramData\\7V7uPExzv.ico" LB3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LB3.exepid Process 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe 2836 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
DFF1.tmppid Process 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp 4336 DFF1.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
LB3.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeDebugPrivilege 2836 LB3.exe Token: 36 2836 LB3.exe Token: SeImpersonatePrivilege 2836 LB3.exe Token: SeIncBasePriorityPrivilege 2836 LB3.exe Token: SeIncreaseQuotaPrivilege 2836 LB3.exe Token: 33 2836 LB3.exe Token: SeManageVolumePrivilege 2836 LB3.exe Token: SeProfSingleProcessPrivilege 2836 LB3.exe Token: SeRestorePrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSystemProfilePrivilege 2836 LB3.exe Token: SeTakeOwnershipPrivilege 2836 LB3.exe Token: SeShutdownPrivilege 2836 LB3.exe Token: SeDebugPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeBackupPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe Token: SeSecurityPrivilege 2836 LB3.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE 4612 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
LB3.exeprintfilterpipelinesvc.exeDFF1.tmpdescription pid Process procid_target PID 2836 wrote to memory of 5596 2836 LB3.exe 89 PID 2836 wrote to memory of 5596 2836 LB3.exe 89 PID 668 wrote to memory of 4612 668 printfilterpipelinesvc.exe 92 PID 668 wrote to memory of 4612 668 printfilterpipelinesvc.exe 92 PID 2836 wrote to memory of 4336 2836 LB3.exe 93 PID 2836 wrote to memory of 4336 2836 LB3.exe 93 PID 2836 wrote to memory of 4336 2836 LB3.exe 93 PID 2836 wrote to memory of 4336 2836 LB3.exe 93 PID 4336 wrote to memory of 5276 4336 DFF1.tmp 94 PID 4336 wrote to memory of 5276 4336 DFF1.tmp 94 PID 4336 wrote to memory of 5276 4336 DFF1.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:5596
-
-
C:\ProgramData\DFF1.tmp"C:\ProgramData\DFF1.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DFF1.tmp >> NUL3⤵PID:5276
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2728
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{919483FE-F3F3-452C-A5F1-37944A02773A}.xps" 1336543575876600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD590617e2bf5c5bf932dcc84da8733550f
SHA1931073d8c5a4709f522519a2413c7e0c56625619
SHA256809db26950a74526d7bdfd911095568776d036fde1fb2f5a6b705500b9fe4faa
SHA512afac01461715eed23f58e289f70340cc786f51694e30d0e683886d44935650b9c677044408a0b9c717e65c697b376053ba84d54cee7803508f0ad9317da54dad
-
Filesize
1KB
MD59fbb3dcf9db5c625c02856f6efd18c50
SHA188d4a02fda2987c06d0ba5194f8b80975c44160b
SHA25681d624e4dc7cd0ddfc370248ecccd02f92f92801223a786f609373846e4be226
SHA512dde7e8c2a2e5d1369b3f2bbff9e12233bb0e2a826d9d7157b590144e6d1ecb5a7844cd2c52e80bb4a4c4338517ddb06599dcee790a65f0b67a8396e82ff81151
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD54afdd5287a74ea30941dc37efc03c651
SHA1c35126f47612d631236084c46867fa7c5f95b1ab
SHA2568f19ead71865bef9ab81e15b7bf6443b4d36fff398aa2f9d65b3bd466966ee18
SHA5126e7cd603a35ed99dc72a9c393d8506d8c32f195950aada232934ec0f441acaf5747c7efe279f0604f6c388c0c2ae7b9c3a97b562893c12de9105d69bff5e9bb1
-
Filesize
4KB
MD5fb4bab7ed228f2ad8abc556ff35d42b7
SHA1c1685c0c27ec9508edaf1d418f7de0b2159bd923
SHA256d6aac015b809968a44eaac9bd3af260278207a36ec518a2189974f5a5a92835e
SHA512691a7dbf4ffd9e2aec39f3bbcfe4153809fae2856b449c8aeef93813e69ddfdfc54be592ae3c128f8e240beb7cc0e3e98626d85c50eba1464a40746c7a7dffdf
-
Filesize
4KB
MD5589aec84cf941cc3a805523e9ae3490a
SHA14e48bdc724260dae37910f3f833744065b79efca
SHA25642389c4c78bb081170fb47f373c1563b08a3bc4eb20365ef27ccd3bdda41b82e
SHA5127cde1c19f604616fe6dc2bc3b047ebda15356f0a3f66446a2246a15b0211509103c3669ffc9becf2dde6a7d90bb77bb54dddf7fa856d609f4c2c9c8838c37f2e
-
Filesize
129B
MD5a85da26bc73cc3d5275bd8ef06858971
SHA1c5408406ff1febc9f3433b6e07c3ff8f50692789
SHA256e4c08dc5325992e891bdffdeb0266ded50a817057de9321de4cdf03777dc4bba
SHA5122641bf241e8db61e4c8abdbd95579d7ac920c1d42322141e30bd2360f2c962719d13c56a0304343605fd156900dcedef159c0f0d7600cd39c29c5058ae6978a5