lockbit | 59e06788bcd99094f7f16ef4fced39685e373d6e91930ec0b2bb8df9089a40d1

Analysis

max time kernel
90s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/09/2024, 18:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

153KB
MD5

1437b8d9a2d7fff15e6df325cb3bbc47
SHA1

b694bd83d84c4d884ebc5c940501464f4a9ffed2
SHA256

59e06788bcd99094f7f16ef4fced39685e373d6e91930ec0b2bb8df9089a40d1
SHA512

94c2f319b85b78bf19c04fd907ce0a8f85dbc3a53284e8039dc81e8b13566d655664c0a46782105bfd4f1d826ee22df64ff07640addd812013c5917ccbf353bf
SSDEEP

3072:u6glyuxE4GsUPnliByocWepx811s76nk0j5yO:u6gDBGpvEByocWeAPwp

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\kdxV3Dlnb.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: FB8A078F671607A2D697772E1C4FA98E >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Renames multiple (522) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2560	B900.tmp

Executes dropped EXE 1 IoCs

pid	Process
2560	B900.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3761892313-3378554128-2287991803-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3761892313-3378554128-2287991803-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPbf8l8t_o9likj9v5uu032767b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPnixoqqnp2oq1_wi2xh3vpezpc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP1d0bymmne54n3p0wkr3602mcc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kdxV3Dlnb.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kdxV3Dlnb.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
2560	B900.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B900.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop	LB3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdxV3Dlnb	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdxV3Dlnb\DefaultIcon\ = "C:\\ProgramData\\kdxV3Dlnb.ico"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kdxV3Dlnb	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kdxV3Dlnb\ = "kdxV3Dlnb"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdxV3Dlnb\DefaultIcon	LB3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2924	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1420	ONENOTE.EXE
1420	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1588	LB3.exe
1420	ONENOTE.EXE
1420	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp
2560	B900.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeDebugPrivilege	1588	LB3.exe
Token: 36	1588	LB3.exe
Token: SeImpersonatePrivilege	1588	LB3.exe
Token: SeIncBasePriorityPrivilege	1588	LB3.exe
Token: SeIncreaseQuotaPrivilege	1588	LB3.exe
Token: 33	1588	LB3.exe
Token: SeManageVolumePrivilege	1588	LB3.exe
Token: SeProfSingleProcessPrivilege	1588	LB3.exe
Token: SeRestorePrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSystemProfilePrivilege	1588	LB3.exe
Token: SeTakeOwnershipPrivilege	1588	LB3.exe
Token: SeShutdownPrivilege	1588	LB3.exe
Token: SeDebugPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeBackupPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe
Token: SeSecurityPrivilege	1588	LB3.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE
1420	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 3412	1588	LB3.exe	80
PID 1588 wrote to memory of 3412	1588	LB3.exe	80
PID 4988 wrote to memory of 1420	4988	printfilterpipelinesvc.exe	83
PID 4988 wrote to memory of 1420	4988	printfilterpipelinesvc.exe	83
PID 1588 wrote to memory of 2560	1588	LB3.exe	84
PID 1588 wrote to memory of 2560	1588	LB3.exe	84
PID 1588 wrote to memory of 2560	1588	LB3.exe	84
PID 1588 wrote to memory of 2560	1588	LB3.exe	84
PID 2560 wrote to memory of 1052	2560	B900.tmp	85
PID 2560 wrote to memory of 1052	2560	B900.tmp	85
PID 2560 wrote to memory of 1052	2560	B900.tmp	85

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3412
- C:\ProgramData\B900.tmp
  "C:\ProgramData\B900.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B900.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2904

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9CEF5005-057B-4D96-B4E4-509ABEF008FB}.xps" 133698604315970000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kdxV3Dlnb.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3761892313-3378554128-2287991803-1000\PPPPPPPPPPP

Filesize
129B

MD5
ac7293e9fd33063529e33b259ad02540

SHA1
43923548632ff6a57e9efef3d2ad7d9f00afb716

SHA256
fe031b70738bf513dca12948520523348e759b2d5e6210c9e7c84d5833c60cbe

SHA512
e9571309c48a9c5e02026f5417ed025eeba9873164cb30726fa3668784425aef2777ee8ed817040064a68742b71153ade8ca5188a49317bdc483b0af6776f0e2

Download Submit
C:\ProgramData\B900.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9CEF5005-057B-4D96-B4E4-509ABEF008FB}.xps

Filesize
13.0MB

MD5
7e4c8129fe8f3394345c559ff758a354

SHA1
0327e5761365bc06da2261d1353a487c444c02d6

SHA256
f2ac3c99a892acc747ebd4b5d31ac4fdbd66a7da8851de52d6d953d22f676042

SHA512
b4d71c8948de76149378f2c1ff7251971ae05b1d978153d8d407427c9df51cc7efeffd59c145c15f63ff8ce963dec8b30286b778eef5ecb490e979a36ab93d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEE

Filesize
153KB

MD5
dd90fd3b86b0f5d78360c35b88e35b91

SHA1
2a0312d69db5c9ba6fbd8ec16d6d3a99cc1a92b8

SHA256
c89aea484596984dcf90b9510f8a4ca9dc33f25f566fe04788037ad5dff879a2

SHA512
0a7f0c43b49542564cf74fc916922f620e7994d87ff82f5fcf604886693a905d2dac966cb04484e813377cd4d8b19c0e7e57415092246df9afe2e3e5756163ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1B611CAA-086A-4ECC-9C16-1AABEEE1CB7B}

Filesize
4KB

MD5
cd0b3e1cf7c47d2f4d29bbc4149b1872

SHA1
ed54ab12e38139efa2aa15945e22fadbb326a9b9

SHA256
387b307151d1ca3828187e8704099e9a8d9bdc4eec330eb0002dd73d5f55dc5a

SHA512
04075b29593aaed93c6df33e599c05c870f5f2a5735085ea51189a9209bf8d7fc9ff317590f65d4dca137d4030164c2928f72b6a8b0d832d066c78a2a4d0b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{876FC3AF-B292-420A-931F-26ABA4210680}

Filesize
4KB

MD5
44a8ec14bd1ed9a031e2f3495d536cbe

SHA1
01ebdb1344b1a924f35abdd10c699f911596ca47

SHA256
65586e0261c0aa57261d43ee70f7a3fbada7f68ee6c97e21bdb167571dbab447

SHA512
53b7d7816a9a6e7e94cacaa6d8e3c471a686d37f1dbd67d0d0a583f24c38293745a4393e9366962de81014457103ea0ceb4ae5b60fe68c355808ebd21a278a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
fb46dc905d04aeb434d6ae4ead2472e5

SHA1
9672622a1611c6f242234037dcc2ba533f0b6bfe

SHA256
1cfd32c72e6fe4da81e709eae24bd827fff1eb21ef2a87e44aaef1cc5cb966ba

SHA512
4f5f90c37274cc2b20fc03eb56fa78be15f31874de7a0fd56f3e7bbdb6dea739052a20bcd0c866212d6123b5d5e45097651851da89338d1f3d2987441357365e

Download Submit
C:\kdxV3Dlnb.README.txt

Filesize
6KB

MD5
c2449cb2e19d60f0e17cd1399f45dc6a

SHA1
b3332c076d53c2b89976d8dbb16eaf9301e82723

SHA256
9ef8ccaa9e1161e6b90fbf9bef3d03856fa07de9c47596c84d3db7f556e4010b

SHA512
54939332fe957d4e4bb31cc8ed8646caaa126302356d6532f9e3ee4c4797309f94c2663c92536d209d5ec2335f0d1b84a78217978766b884606c6d01b85d8f06

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3761892313-3378554128-2287991803-1000\DDDDDDDDDDD

Filesize
129B

MD5
6d215a262b1c906f0c635714300e7e4d

SHA1
80dfa84c4c3b44ba5b79a926495b5963fc1deb6f

SHA256
1294d31ca4f564d659dbdf508aba5242b0a9560b9738a2f24c029449a959dd46

SHA512
f967945d99567dac10d0aeefe36f657577fcf3feed797128a75dc766ca1724dc61c67f1b3bf70ead5f331e194937b225a25789c156fb0d1d0b68252f4dbf65ab

Download Submit
memory/1420-2758-0x0000014105A80000-0x0000014105BD7000-memory.dmp

Filesize
1.3MB

Download
memory/1420-2842-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2700-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2698-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2701-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2697-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2730-0x00007FF963490000-0x00007FF9634A0000-memory.dmp

Filesize
64KB

Download
memory/1420-2731-0x00007FF963490000-0x00007FF9634A0000-memory.dmp

Filesize
64KB

Download
memory/1420-2843-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2699-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2844-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1420-2845-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

Filesize
64KB

Download
memory/1588-2680-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/1588-0-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/1588-1-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/1588-2-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/1588-2679-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/1588-2681-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download