Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    5820e728cfad98d8673d29448c58c7d5

  • SHA1

    cfe71685fd09fd14d2d2faa8618b2559438a8b1e

  • SHA256

    5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

  • SHA512

    28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

  • SSDEEP

    1536:0zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDekDM2CpVTBVuVAPuzLsA/t83YY:bqJogYkcSNm9V7DekDMyVTzLVdwUOT

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Signatures

  • Renames multiple (357) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\ProgramData\6F95.tmp
      "C:\ProgramData\6F95.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6F95.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:836
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      047f826bcea7e7a4a38a4835a0f3fc14

      SHA1

      53caaba3b44cde7118a085859b463573846c1449

      SHA256

      be2a5b18ec6d68085c0c4778a8f1a827a4f0809cd54f53e52e539a32187f966a

      SHA512

      41cf9dccd117c256e2b20442a322b0cb2e46bb280445b281534b28b8bd4434733663d77ecb8679d359d90684f834a5e93cd485c6615bfb3b9bc5b4a87affe17f

      Download Submit

    • C:\MNYHU2Jh1.README.txt
      Filesize

      1KB

      MD5

      70f8acf921f004784b21982bdfb5fb9b

      SHA1

      a5fe82b54b1da9425c680e04ac9a0ea88ff4a225

      SHA256

      497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4

      SHA512

      04c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      147KB

      MD5

      9ece9d853ae9a3af8858f4665f3370a9

      SHA1

      cd7896dce1cac38ae27891178b80ffde6f419030

      SHA256

      111bb26c11e665f11a6305c16e493f25e4285d6d021b4e5331c42767ba9e3477

      SHA512

      5d4ee9d08ce7bc9c80d976419a9b36512dbfc75309f7ff56a421f082f141d613bd84e8272169c36f14c3ac0eac0d3669ee9f0fd1409f64145771b1286011b968

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      3113fd94e463dbbbde34c6cd5bd5a0af

      SHA1

      0540d7e97097c15586533b901b1a138cbd28d96b

      SHA256

      6c58f4ad0059b8d13d952eb9a21a9a7f98068473ba4c62cbe0849f9f433d0766

      SHA512

      991f9d70c046b8c7ebedac71dd30cf4831f6acbca90cbe4a6b6dc93eaa88dd2583d40500ada97b42c165682ed40aebdee16ba9944c5bcdb463a298d30837ad83

      Download Submit

    • \ProgramData\6F95.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2364-0-0x0000000000B00000-0x0000000000B40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2976-895-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-894-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-893-0x0000000000340000-0x0000000000380000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2976-892-0x0000000000340000-0x0000000000380000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2976-890-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-925-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-924-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download