Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    101s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/09/2024, 18:06

General

  • Target

    LB3.exe

  • Size

    153KB

  • MD5

    1437b8d9a2d7fff15e6df325cb3bbc47

  • SHA1

    b694bd83d84c4d884ebc5c940501464f4a9ffed2

  • SHA256

    59e06788bcd99094f7f16ef4fced39685e373d6e91930ec0b2bb8df9089a40d1

  • SHA512

    94c2f319b85b78bf19c04fd907ce0a8f85dbc3a53284e8039dc81e8b13566d655664c0a46782105bfd4f1d826ee22df64ff07640addd812013c5917ccbf353bf

  • SSDEEP

    3072:u6glyuxE4GsUPnliByocWepx811s76nk0j5yO:u6gDBGpvEByocWeAPwp

Malware Config

Extracted

Path

C:\kdxV3Dlnb.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: FB8A078F671607A2D697772E1C4FA98E >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Renames multiple (522) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3412
    • C:\ProgramData\B900.tmp
      "C:\ProgramData\B900.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B900.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1052
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2904
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9CEF5005-057B-4D96-B4E4-509ABEF008FB}.xps" 133698604315970000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1420
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kdxV3Dlnb.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3761892313-3378554128-2287991803-1000\PPPPPPPPPPP

      Filesize

      129B

      MD5

      ac7293e9fd33063529e33b259ad02540

      SHA1

      43923548632ff6a57e9efef3d2ad7d9f00afb716

      SHA256

      fe031b70738bf513dca12948520523348e759b2d5e6210c9e7c84d5833c60cbe

      SHA512

      e9571309c48a9c5e02026f5417ed025eeba9873164cb30726fa3668784425aef2777ee8ed817040064a68742b71153ade8ca5188a49317bdc483b0af6776f0e2

    • C:\ProgramData\B900.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9CEF5005-057B-4D96-B4E4-509ABEF008FB}.xps

      Filesize

      13.0MB

      MD5

      7e4c8129fe8f3394345c559ff758a354

      SHA1

      0327e5761365bc06da2261d1353a487c444c02d6

      SHA256

      f2ac3c99a892acc747ebd4b5d31ac4fdbd66a7da8851de52d6d953d22f676042

      SHA512

      b4d71c8948de76149378f2c1ff7251971ae05b1d978153d8d407427c9df51cc7efeffd59c145c15f63ff8ce963dec8b30286b778eef5ecb490e979a36ab93d73

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEE

      Filesize

      153KB

      MD5

      dd90fd3b86b0f5d78360c35b88e35b91

      SHA1

      2a0312d69db5c9ba6fbd8ec16d6d3a99cc1a92b8

      SHA256

      c89aea484596984dcf90b9510f8a4ca9dc33f25f566fe04788037ad5dff879a2

      SHA512

      0a7f0c43b49542564cf74fc916922f620e7994d87ff82f5fcf604886693a905d2dac966cb04484e813377cd4d8b19c0e7e57415092246df9afe2e3e5756163ae

    • C:\Users\Admin\AppData\Local\Temp\{1B611CAA-086A-4ECC-9C16-1AABEEE1CB7B}

      Filesize

      4KB

      MD5

      cd0b3e1cf7c47d2f4d29bbc4149b1872

      SHA1

      ed54ab12e38139efa2aa15945e22fadbb326a9b9

      SHA256

      387b307151d1ca3828187e8704099e9a8d9bdc4eec330eb0002dd73d5f55dc5a

      SHA512

      04075b29593aaed93c6df33e599c05c870f5f2a5735085ea51189a9209bf8d7fc9ff317590f65d4dca137d4030164c2928f72b6a8b0d832d066c78a2a4d0b2c4

    • C:\Users\Admin\AppData\Local\Temp\{876FC3AF-B292-420A-931F-26ABA4210680}

      Filesize

      4KB

      MD5

      44a8ec14bd1ed9a031e2f3495d536cbe

      SHA1

      01ebdb1344b1a924f35abdd10c699f911596ca47

      SHA256

      65586e0261c0aa57261d43ee70f7a3fbada7f68ee6c97e21bdb167571dbab447

      SHA512

      53b7d7816a9a6e7e94cacaa6d8e3c471a686d37f1dbd67d0d0a583f24c38293745a4393e9366962de81014457103ea0ceb4ae5b60fe68c355808ebd21a278a90

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      fb46dc905d04aeb434d6ae4ead2472e5

      SHA1

      9672622a1611c6f242234037dcc2ba533f0b6bfe

      SHA256

      1cfd32c72e6fe4da81e709eae24bd827fff1eb21ef2a87e44aaef1cc5cb966ba

      SHA512

      4f5f90c37274cc2b20fc03eb56fa78be15f31874de7a0fd56f3e7bbdb6dea739052a20bcd0c866212d6123b5d5e45097651851da89338d1f3d2987441357365e

    • C:\kdxV3Dlnb.README.txt

      Filesize

      6KB

      MD5

      c2449cb2e19d60f0e17cd1399f45dc6a

      SHA1

      b3332c076d53c2b89976d8dbb16eaf9301e82723

      SHA256

      9ef8ccaa9e1161e6b90fbf9bef3d03856fa07de9c47596c84d3db7f556e4010b

      SHA512

      54939332fe957d4e4bb31cc8ed8646caaa126302356d6532f9e3ee4c4797309f94c2663c92536d209d5ec2335f0d1b84a78217978766b884606c6d01b85d8f06

    • F:\$RECYCLE.BIN\S-1-5-21-3761892313-3378554128-2287991803-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      6d215a262b1c906f0c635714300e7e4d

      SHA1

      80dfa84c4c3b44ba5b79a926495b5963fc1deb6f

      SHA256

      1294d31ca4f564d659dbdf508aba5242b0a9560b9738a2f24c029449a959dd46

      SHA512

      f967945d99567dac10d0aeefe36f657577fcf3feed797128a75dc766ca1724dc61c67f1b3bf70ead5f331e194937b225a25789c156fb0d1d0b68252f4dbf65ab

    • memory/1420-2758-0x0000014105A80000-0x0000014105BD7000-memory.dmp

      Filesize

      1.3MB

    • memory/1420-2842-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2700-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2698-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2701-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2697-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2730-0x00007FF963490000-0x00007FF9634A0000-memory.dmp

      Filesize

      64KB

    • memory/1420-2731-0x00007FF963490000-0x00007FF9634A0000-memory.dmp

      Filesize

      64KB

    • memory/1420-2843-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2699-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2844-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1420-2845-0x00007FF965F10000-0x00007FF965F20000-memory.dmp

      Filesize

      64KB

    • memory/1588-2680-0x0000000002920000-0x0000000002930000-memory.dmp

      Filesize

      64KB

    • memory/1588-0-0x0000000002920000-0x0000000002930000-memory.dmp

      Filesize

      64KB

    • memory/1588-1-0x0000000002920000-0x0000000002930000-memory.dmp

      Filesize

      64KB

    • memory/1588-2-0x0000000002920000-0x0000000002930000-memory.dmp

      Filesize

      64KB

    • memory/1588-2679-0x0000000002920000-0x0000000002930000-memory.dmp

      Filesize

      64KB

    • memory/1588-2681-0x0000000002920000-0x0000000002930000-memory.dmp

      Filesize

      64KB