41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898

Analysis

max time kernel
66s
max time network
22s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lb.exe
Size

194KB
MD5

6fd558cf3add096970e15d1e62ca1957
SHA1

78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23
SHA256

41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898
SHA512

fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc
SSDEEP

3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2076	DB23.tmp

Executes dropped EXE 1 IoCs

pid	Process
2076	DB23.tmp

Loads dropped DLL 1 IoCs

pid	Process
1580	lb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini	lb.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini	lb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	lb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	lb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
2076	DB23.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB23.tmp

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallpaperStyle = "10"	lb.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	lb.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L	lb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon\ = "C:\\ProgramData\\AAtvmKv4L.ico"	lb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L	lb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L\ = "AAtvmKv4L"	lb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon	lb.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe
1580	lb.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp
2076	DB23.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeDebugPrivilege	1580	lb.exe
Token: 36	1580	lb.exe
Token: SeImpersonatePrivilege	1580	lb.exe
Token: SeIncBasePriorityPrivilege	1580	lb.exe
Token: SeIncreaseQuotaPrivilege	1580	lb.exe
Token: 33	1580	lb.exe
Token: SeManageVolumePrivilege	1580	lb.exe
Token: SeProfSingleProcessPrivilege	1580	lb.exe
Token: SeRestorePrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSystemProfilePrivilege	1580	lb.exe
Token: SeTakeOwnershipPrivilege	1580	lb.exe
Token: SeShutdownPrivilege	1580	lb.exe
Token: SeDebugPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeBackupPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe
Token: SeSecurityPrivilege	1580	lb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2076	1580	lb.exe	33
PID 1580 wrote to memory of 2076	1580	lb.exe	33
PID 1580 wrote to memory of 2076	1580	lb.exe	33
PID 1580 wrote to memory of 2076	1580	lb.exe	33
PID 1580 wrote to memory of 2076	1580	lb.exe	33
PID 2076 wrote to memory of 2544	2076	DB23.tmp	34
PID 2076 wrote to memory of 2544	2076	DB23.tmp	34
PID 2076 wrote to memory of 2544	2076	DB23.tmp	34
PID 2076 wrote to memory of 2544	2076	DB23.tmp	34

C:\Users\Admin\AppData\Local\Temp\lb.exe
"C:\Users\Admin\AppData\Local\Temp\lb.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\ProgramData\DB23.tmp
  "C:\ProgramData\DB23.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB23.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini

Filesize
129B

MD5
146f02e64de119f76d263b29de13f998

SHA1
adf75af6307bb8525e6a9705906cf0da9178a8f7

SHA256
022fabbc1e8e6de9aa3ac00bf2c7b2f057d7b26a15aa4eaa56654f2fa81fe1f0

SHA512
f21c6b2b151089079ef53bedf5caed86a7c548020abfbb577edccc32eb03fd776b4f2d77d24cb9d453c44eb8ab00fd72d359bfa91a00abe6de1695b04e06fe0b

Download Submit
C:\AAtvmKv4L.README.txt

Filesize
434B

MD5
b4709a56b9d7f431da172316cda720be

SHA1
d2132f7129a7003ec4c0392f0f08cd24ea353da6

SHA256
192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

SHA512
e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDD

Filesize
194KB

MD5
da5e27fd54cf3d1eed75757f01abcb2c

SHA1
998468336e0e31205dc5d30e2a038e009682205a

SHA256
364fd809e59ac0b9f3629cff0de608ffda94aefafd44476f2a14fe9e9c0f1dbd

SHA512
25803c2b91ee18d2e89f4dd3d1779146b57402e60cf2f7f8a13dcac93d3b7429f36d8e41cec4182a86ae0e47f0d46a3ee8aa85ca774f5feb12c21cba319ddb19

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\DDDDDDDDDDD

Filesize
129B

MD5
a15db8a283455fa2146805d0f774f431

SHA1
ae5287835f3065474fb55c8ff067c3a585cc0374

SHA256
31820023a93797e781eaa16deeee50c14096b218309fb3fff098a458dd73b6d2

SHA512
c3e17c5f4e4efe733149836dba05bba4b5727a221e2d5ad060d26c435ec3320bfef7afc961659be8ff5ba14cf93f5708edbc14deaefead2359f0a3f2d6dce3ce

Download Submit
\ProgramData\DB23.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1580-0-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2076-897-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2076-899-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download