Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/09/2024, 18:06
Behavioral task
behavioral1
Sample
LB3.exe
Resource
win11-20240802-en
General
-
Target
LB3.exe
-
Size
153KB
-
MD5
1437b8d9a2d7fff15e6df325cb3bbc47
-
SHA1
b694bd83d84c4d884ebc5c940501464f4a9ffed2
-
SHA256
59e06788bcd99094f7f16ef4fced39685e373d6e91930ec0b2bb8df9089a40d1
-
SHA512
94c2f319b85b78bf19c04fd907ce0a8f85dbc3a53284e8039dc81e8b13566d655664c0a46782105bfd4f1d826ee22df64ff07640addd812013c5917ccbf353bf
-
SSDEEP
3072:u6glyuxE4GsUPnliByocWepx811s76nk0j5yO:u6gDBGpvEByocWeAPwp
Malware Config
Extracted
C:\kdxV3Dlnb.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (522) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2560 B900.tmp -
Executes dropped EXE 1 IoCs
pid Process 2560 B900.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3761892313-3378554128-2287991803-1000\desktop.ini LB3.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3761892313-3378554128-2287991803-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPbf8l8t_o9likj9v5uu032767b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPnixoqqnp2oq1_wi2xh3vpezpc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP1d0bymmne54n3p0wkr3602mcc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kdxV3Dlnb.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kdxV3Dlnb.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 2560 B900.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B900.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdxV3Dlnb LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdxV3Dlnb\DefaultIcon\ = "C:\\ProgramData\\kdxV3Dlnb.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kdxV3Dlnb LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kdxV3Dlnb\ = "kdxV3Dlnb" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdxV3Dlnb\DefaultIcon LB3.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2924 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1420 ONENOTE.EXE 1420 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1588 LB3.exe 1420 ONENOTE.EXE 1420 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp 2560 B900.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeDebugPrivilege 1588 LB3.exe Token: 36 1588 LB3.exe Token: SeImpersonatePrivilege 1588 LB3.exe Token: SeIncBasePriorityPrivilege 1588 LB3.exe Token: SeIncreaseQuotaPrivilege 1588 LB3.exe Token: 33 1588 LB3.exe Token: SeManageVolumePrivilege 1588 LB3.exe Token: SeProfSingleProcessPrivilege 1588 LB3.exe Token: SeRestorePrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSystemProfilePrivilege 1588 LB3.exe Token: SeTakeOwnershipPrivilege 1588 LB3.exe Token: SeShutdownPrivilege 1588 LB3.exe Token: SeDebugPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeBackupPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe Token: SeSecurityPrivilege 1588 LB3.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE 1420 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1588 wrote to memory of 3412 1588 LB3.exe 80 PID 1588 wrote to memory of 3412 1588 LB3.exe 80 PID 4988 wrote to memory of 1420 4988 printfilterpipelinesvc.exe 83 PID 4988 wrote to memory of 1420 4988 printfilterpipelinesvc.exe 83 PID 1588 wrote to memory of 2560 1588 LB3.exe 84 PID 1588 wrote to memory of 2560 1588 LB3.exe 84 PID 1588 wrote to memory of 2560 1588 LB3.exe 84 PID 1588 wrote to memory of 2560 1588 LB3.exe 84 PID 2560 wrote to memory of 1052 2560 B900.tmp 85 PID 2560 wrote to memory of 1052 2560 B900.tmp 85 PID 2560 wrote to memory of 1052 2560 B900.tmp 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3412
-
-
C:\ProgramData\B900.tmp"C:\ProgramData\B900.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B900.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2904
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9CEF5005-057B-4D96-B4E4-509ABEF008FB}.xps" 1336986043159700002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kdxV3Dlnb.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ac7293e9fd33063529e33b259ad02540
SHA143923548632ff6a57e9efef3d2ad7d9f00afb716
SHA256fe031b70738bf513dca12948520523348e759b2d5e6210c9e7c84d5833c60cbe
SHA512e9571309c48a9c5e02026f5417ed025eeba9873164cb30726fa3668784425aef2777ee8ed817040064a68742b71153ade8ca5188a49317bdc483b0af6776f0e2
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
13.0MB
MD57e4c8129fe8f3394345c559ff758a354
SHA10327e5761365bc06da2261d1353a487c444c02d6
SHA256f2ac3c99a892acc747ebd4b5d31ac4fdbd66a7da8851de52d6d953d22f676042
SHA512b4d71c8948de76149378f2c1ff7251971ae05b1d978153d8d407427c9df51cc7efeffd59c145c15f63ff8ce963dec8b30286b778eef5ecb490e979a36ab93d73
-
Filesize
153KB
MD5dd90fd3b86b0f5d78360c35b88e35b91
SHA12a0312d69db5c9ba6fbd8ec16d6d3a99cc1a92b8
SHA256c89aea484596984dcf90b9510f8a4ca9dc33f25f566fe04788037ad5dff879a2
SHA5120a7f0c43b49542564cf74fc916922f620e7994d87ff82f5fcf604886693a905d2dac966cb04484e813377cd4d8b19c0e7e57415092246df9afe2e3e5756163ae
-
Filesize
4KB
MD5cd0b3e1cf7c47d2f4d29bbc4149b1872
SHA1ed54ab12e38139efa2aa15945e22fadbb326a9b9
SHA256387b307151d1ca3828187e8704099e9a8d9bdc4eec330eb0002dd73d5f55dc5a
SHA51204075b29593aaed93c6df33e599c05c870f5f2a5735085ea51189a9209bf8d7fc9ff317590f65d4dca137d4030164c2928f72b6a8b0d832d066c78a2a4d0b2c4
-
Filesize
4KB
MD544a8ec14bd1ed9a031e2f3495d536cbe
SHA101ebdb1344b1a924f35abdd10c699f911596ca47
SHA25665586e0261c0aa57261d43ee70f7a3fbada7f68ee6c97e21bdb167571dbab447
SHA51253b7d7816a9a6e7e94cacaa6d8e3c471a686d37f1dbd67d0d0a583f24c38293745a4393e9366962de81014457103ea0ceb4ae5b60fe68c355808ebd21a278a90
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
4KB
MD5fb46dc905d04aeb434d6ae4ead2472e5
SHA19672622a1611c6f242234037dcc2ba533f0b6bfe
SHA2561cfd32c72e6fe4da81e709eae24bd827fff1eb21ef2a87e44aaef1cc5cb966ba
SHA5124f5f90c37274cc2b20fc03eb56fa78be15f31874de7a0fd56f3e7bbdb6dea739052a20bcd0c866212d6123b5d5e45097651851da89338d1f3d2987441357365e
-
Filesize
6KB
MD5c2449cb2e19d60f0e17cd1399f45dc6a
SHA1b3332c076d53c2b89976d8dbb16eaf9301e82723
SHA2569ef8ccaa9e1161e6b90fbf9bef3d03856fa07de9c47596c84d3db7f556e4010b
SHA51254939332fe957d4e4bb31cc8ed8646caaa126302356d6532f9e3ee4c4797309f94c2663c92536d209d5ec2335f0d1b84a78217978766b884606c6d01b85d8f06
-
Filesize
129B
MD56d215a262b1c906f0c635714300e7e4d
SHA180dfa84c4c3b44ba5b79a926495b5963fc1deb6f
SHA2561294d31ca4f564d659dbdf508aba5242b0a9560b9738a2f24c029449a959dd46
SHA512f967945d99567dac10d0aeefe36f657577fcf3feed797128a75dc766ca1724dc61c67f1b3bf70ead5f331e194937b225a25789c156fb0d1d0b68252f4dbf65ab