Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LB3.exe

  • Size

    147KB

  • Sample

    240907-hhzh5szflp

  • MD5

    5820e728cfad98d8673d29448c58c7d5

  • SHA1

    cfe71685fd09fd14d2d2faa8618b2559438a8b1e

  • SHA256

    5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

  • SHA512

    28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

  • SSDEEP

    1536:0zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDekDM2CpVTBVuVAPuzLsA/t83YY:bqJogYkcSNm9V7DekDMyVTzLVdwUOT

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Targets

    • Target

      LB3.exe

    • Size

      147KB

    • MD5

      5820e728cfad98d8673d29448c58c7d5

    • SHA1

      cfe71685fd09fd14d2d2faa8618b2559438a8b1e

    • SHA256

      5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

    • SHA512

      28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

    • SSDEEP

      1536:0zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDekDM2CpVTBVuVAPuzLsA/t83YY:bqJogYkcSNm9V7DekDMyVTzLVdwUOT

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (357) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks