Overview

overview

10

Static

static

10

LBB.exe

windows7-x64

10

LBB.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LBB.exe

  • Size

    156KB

  • MD5

    827fd84e6c235dbb400442390a538441

  • SHA1

    f88eafeeb71837534f32d7de483497d8d74fb279

  • SHA256

    7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea

  • SHA512

    4e6df341e606cdc5ecafd02b7e9ba979502301e5e89aaecf604018d014019ffd6bd26b1380cb316ec1beb8f533df5125e75ec67d8760f7bcd90f883b72199f6b

  • SSDEEP

    3072:1DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368yUTtc76PJCW:n5d/zugZqll3OUCuPJ

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\bMHeBJMks.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 0B4A03D462BADECE3703C601DA08DB01 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\LBB.exe
    "C:\Users\Admin\AppData\Local\Temp\LBB.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\ProgramData\2FF6.tmp
      "C:\ProgramData\2FF6.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:2988
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1652
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x154
    1⤵
      PID:1152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini
      Filesize

      129B

      MD5

      9b55cb6f5ea54871a583b0d8a9a006c3

      SHA1

      d1ce031a3262cd7ecd4dc96f89eea2824c9501c7

      SHA256

      6aa5e1f07f11ea2ea90458741133adba3d7111443b180a0a435d8894b59519d0

      SHA512

      33ae32b892507b39e388c0b8a99ef6ec189ffeb778e87acadb4d6c7567b651c600ac31be6ce690d8f8340979cad8cb1226f61b563a437f4ecb84296b6c35354f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      156KB

      MD5

      fd90923b31e10aa52c0235116191253f

      SHA1

      bab6af5ccdfc6bb4a537ce3b3128ceb9ee9db80e

      SHA256

      17d943cf1ebd4d3fd3cebc2ff746809a19b3a05fe76edfb01a2af815afe4a260

      SHA512

      1004e46476ce93ac2aef8138e470086b56425da2def9025b7c55773281e3b2bde526250a94d6ab74a63ff16f8097b91e1e1b951a26291e020be98c6c06a19eb4

      Download Submit

    • C:\Users\bMHeBJMks.README.txt
      Filesize

      2KB

      MD5

      79d367e490339a31cbc18cbb22d861e6

      SHA1

      ae6663d3895ef08728c48d905c5d2e95f47e8ff5

      SHA256

      1a944024c87658ef91912964827a14a5406ef885d3ff65f59e79831aa9873706

      SHA512

      3d73d1774a24245251783db7b196d906aabc10093ce334ade2f5e821e5366784ac69d962280405da5914b846b8b525ce5ab9e3df29bd658b35dcd7d2577f9c45

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\CCCCCCCCCCC
      Filesize

      129B

      MD5

      a58d9bf036294c7fabca4d25a96ead9e

      SHA1

      e3ff50711af1e603d5b16803f6c229fa57debe3e

      SHA256

      d548c72f600cc23136942325d0913f79e4f8c578b3c444394c03b366f4982a7c

      SHA512

      bde384eecbfd5f448c6a0075561819572210763154d5b6747ec7a23548e17107bbb0050bab19bae85aa7b38b2891596f191a920db2734226a760c7451acda77e

      Download Submit

    • \ProgramData\2FF6.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2288-0-0x0000000002440000-0x0000000002480000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2988-306-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2988-307-0x00000000002D0000-0x0000000000310000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2988-308-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2988-309-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download