Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C809104D95F9C51B8 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (821) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\ProgramData\A0C2.tmp
      "C:\ProgramData\A0C2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A0C2.tmp >> NUL
        3⤵
          PID:624
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x150
      1⤵
        PID:2756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini
        Filesize

        129B

        MD5

        6f1ff9f7da1078e277b88c6b092ae447

        SHA1

        1451f1f32bcd55ab6655ffd401fcbf45d52e39be

        SHA256

        2fa90156abb9d955972fedb8ab1df62da7128d0fbc2707167f5188f6c9cda484

        SHA512

        bbcdd26767dd26bc3a1da7ac7e7f08f91efe1edd99d810a13af6926e3cb785858d1390fc931698bbf53b94499bae7cbbcf58503ed870743413abc793b7f1ce11

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        44193c66c4cbf6aa6dfd97e18f03b5ad

        SHA1

        3d86130472889cadc5d269085286dd825234c913

        SHA256

        38d46e84596f427570c8343e89947dcc3c51c8f8432d865af7ba113b52633b65

        SHA512

        127158d48c35784486b8a4aff1480646a6a5ee6967565070f5d6b312b76cbcf8c7037cb4e2f5e4755b6fd803c8e5432a4b3b7fd23211821a7c2b7cb91e287747

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
        Filesize

        146KB

        MD5

        d11979fbc0cff169d5b7ecdec1a62e7c

        SHA1

        fa8d1aaa89e7ecacd5296a00a3d6e29b2c7a21f1

        SHA256

        19b5f316f68f04dfe9e884eff0ad0c31fba48d9cca1d4b35a4c54d8cec76bae8

        SHA512

        971242440d0d723c677edb33b87d3518e6a734dcab7d19d19519cc301fcdc4790a03665adff0e73f2c7d0c253bd88f49c9ae3d9ef8075605794b9480065b33cc

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\EEEEEEEEEEE
        Filesize

        129B

        MD5

        0e0baf6f3c835f1b8cf732192263d546

        SHA1

        bbd403668bce61a19629a7a527d52de573b597a1

        SHA256

        967e5e6b5005d3f620aced0bec3d614ceb30bee16c21a6ee6394ba396d2d8f7e

        SHA512

        48d3595a134403756641d09db94351468d4dd0111bde8897b6237eee16111b881d480cd252c94fc0ddef344e6a75ce323b1fa7b846758f17847ef2d45c54606f

        Download Submit

      • \ProgramData\A0C2.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2816-0-0x0000000002170000-0x00000000021B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3012-3604-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3012-3606-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download