Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    146KB

  • MD5

    a5f2eeb4c5cbb2c2ff3b103e304c4a37

  • SHA1

    604025da6efc564ae2b3b92c33eb3a2995ca81a4

  • SHA256

    105912c9995a1d718c5442349d2cc4bb99426f75ff34554cdfd9a7272eeca398

  • SHA512

    96e766e4f3aefacada98a5336320db9d26c5d7d5d150125183e5415786b57d46b3383880910cfbdcd0928960d4abcaeba19c0854b0fb4a863391f0b13617bf4e

  • SSDEEP

    1536:NzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDrZ5bKzpnSPyZxedH4UnFgDXv0R:eqJogYkcSNm9V7DmSPNHnFsvCT

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\RCl10Ol9q.README.txt

Ransom Note
~~~ LockBit Black Ransomware Since 2024~~~ >>>> Your data are stolen and encrypted Price = 2000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: WERTYFG34A48MK4D6D525F3F372263313 + ID Number.README.txt >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Signatures

  • Renames multiple (8913) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\ProgramData\1.tmp
      "C:\ProgramData\1.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2428
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      6103111c763826141caaafc94606a3df

      SHA1

      16d6a405593f8b5e97854de6bc7a6ce0ab43bc43

      SHA256

      eb6b86c76fd196225a8dec9a32102dd6ba3dc30aa1a899389e42b9294ebbf55d

      SHA512

      32f4188cf30906dfeafdbe8693b0b208e4d0ba25c26e18811fe3316bee13eb44398f2841d3425486100b3db6c5c6e1280b3f66628075dd711962e39fa2bb1c35

      Download Submit

    • C:\Program Files\Java\jre7\lib\zi\America\Swift_Current.RCl10Ol9q
      Filesize

      241B

      MD5

      5b0e8358aceaec5d077108b41edb6845

      SHA1

      17d8c7d88ae8d54f26caebea8a407cb7d15dac82

      SHA256

      4124115f3e3c379718f7d19f821a26c553468123e4608589ffaf3d65c80e973b

      SHA512

      6000eec6b7a65e4e3be486e3db95822e70dc025450a022d498fe1e9cc3415c0bc222e6dddcc6ba092213b9177f32d2fced915c01534aa9eda02831c1676072d9

      Download Submit

    • C:\RCl10Ol9q.README.txt
      Filesize

      1KB

      MD5

      6c20c5b93268232ba3bcb18e6dd215af

      SHA1

      2008645dde0884ad7bed5732a4005968472e7ca2

      SHA256

      ce7e57b1ee943eeb6ec10d4556da9b16f2cb02401109d60590bb8f78ddbde478

      SHA512

      4a2465070eff7a0e3d99fe137634f2a7768f5df383f4b10fb00f214c40f4843e0712c117c1b0e422ce7650d3ae04e5d1b4993b7029f3007a52fb68e408a1346c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      146KB

      MD5

      2202325787766da47fdfeff4482b7b44

      SHA1

      9429025dba7d5f6677a298e99dde2acb71ab2413

      SHA256

      ae2e5aeb114e8451a7138f270fa1bd3b0c39cfbefc58eb2484bffd4a1e85bc0d

      SHA512

      3927581e6f9632d0a2aab65891cf4b9c0c01c361ff0a6b18642b03864af4fcb64fa8ce16706d6fe18324e1f2d7f4ea0c8d8712bdf842878779ca039ca1bc4def

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      1994c1e9d5c45965dac03b31f8cbbc04

      SHA1

      ea0fb845581fb258e1f7f8e107f0c16b4a9a2ec3

      SHA256

      ddc4a4517b2880c217ef2288bc95192eb789f59be3aba8b43eeaf492de4f25e9

      SHA512

      4a948fe5ee8712e413234994222e7f7a8c8b93cfe49167b5207534e859aefe694af63d3b05115227e7ff22f7508e319febde54f52c920d247df619aefd8fd12a

      Download Submit

    • \ProgramData\1.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1680-12874-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-12876-0x0000000002380000-0x00000000023C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1680-12878-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-12877-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-12908-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-12907-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2316-0-0x0000000000280000-0x00000000002C0000-memory.dmp

      Filesize

      256KB

      Download