lockbit | 7e32888f7a6d5b70bcdb690a82f1761607b1ab6398441228cc4ac5a098cd733b

Resubmissions

24-11-2024 19:12

241124-xwlxjavjev 10

24-11-2024 19:05

241124-xryqjatqgy 10

Analysis

max time kernel
98s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

153KB
MD5

6b891bc9b12b189cf8a916062db75da3
SHA1

5f808c54f816ac7ff06695c831236453e49d63bf
SHA256

7e32888f7a6d5b70bcdb690a82f1761607b1ab6398441228cc4ac5a098cd733b
SHA512

1405c0fecf41e6439638244098cf8dc80b5cbb3e9645ecdd1e2fe3b38c21b0028c1075d0fcb922d83b33d980ac405ad825e3dda202a78dac0be6a14f226fb0d7
SSDEEP

3072:c6glyuxE4GsUPnliByocWeppFtwRpkSqNmv2:c6gDBGpvEByocWeDep9SN

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\iUwG9Yr05.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 312A08A2A9819E7EE7F39C0389A0213A >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Renames multiple (482) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
476	9BB4.tmp

Executes dropped EXE 1 IoCs

pid	Process
476	9BB4.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4249425805-3408538557-1766626484-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4249425805-3408538557-1766626484-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP6ap5mgmpay5u73trr7gehvjp.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjaka_5odfir3lnbv43ysn_moc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPcyheaqui90htpjteflh2oqh6b.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\iUwG9Yr05.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\iUwG9Yr05.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
476	9BB4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9BB4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iUwG9Yr05	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iUwG9Yr05\ = "iUwG9Yr05"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iUwG9Yr05\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iUwG9Yr05	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iUwG9Yr05\DefaultIcon\ = "C:\\ProgramData\\iUwG9Yr05.ico"	LB3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4740	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2692	ONENOTE.EXE
2692	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe
3292	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp
476	9BB4.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeDebugPrivilege	3292	LB3.exe
Token: 36	3292	LB3.exe
Token: SeImpersonatePrivilege	3292	LB3.exe
Token: SeIncBasePriorityPrivilege	3292	LB3.exe
Token: SeIncreaseQuotaPrivilege	3292	LB3.exe
Token: 33	3292	LB3.exe
Token: SeManageVolumePrivilege	3292	LB3.exe
Token: SeProfSingleProcessPrivilege	3292	LB3.exe
Token: SeRestorePrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSystemProfilePrivilege	3292	LB3.exe
Token: SeTakeOwnershipPrivilege	3292	LB3.exe
Token: SeShutdownPrivilege	3292	LB3.exe
Token: SeDebugPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeBackupPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe
Token: SeSecurityPrivilege	3292	LB3.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE
2692	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1016	3292	LB3.exe	82
PID 3292 wrote to memory of 1016	3292	LB3.exe	82
PID 244 wrote to memory of 2692	244	printfilterpipelinesvc.exe	85
PID 244 wrote to memory of 2692	244	printfilterpipelinesvc.exe	85
PID 3292 wrote to memory of 476	3292	LB3.exe	86
PID 3292 wrote to memory of 476	3292	LB3.exe	86
PID 3292 wrote to memory of 476	3292	LB3.exe	86
PID 3292 wrote to memory of 476	3292	LB3.exe	86
PID 476 wrote to memory of 3412	476	9BB4.tmp	87
PID 476 wrote to memory of 3412	476	9BB4.tmp	87
PID 476 wrote to memory of 3412	476	9BB4.tmp	87

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1016
- C:\ProgramData\9BB4.tmp
  "C:\ProgramData\9BB4.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BB4.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:664

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{564A35EA-FF07-40B5-8B98-0DADE8D7D64E}.xps" 133769491528410000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2692

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\iUwG9Yr05.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4249425805-3408538557-1766626484-1000\YYYYYYYYYYY

Filesize
129B

MD5
1f1ec37d242fe4ee75b2c15a3b29624d

SHA1
5d805f707b15b47e1bf3a433cd8b36319a8537db

SHA256
633a67852e750f28e3f462da4e16ee13f33adbe389fec95bdf9f7cfea9e22b85

SHA512
9de1952d8d2e1502791ca3bbb3641788e7d30b6830c5605786868bbcdcdc91c53e4fdee8b2c0ce9a7d584b3f4697c436ba0b563b05a69de4c02f47cba9fddf0d

Download Submit
C:\ProgramData\9BB4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{564A35EA-FF07-40B5-8B98-0DADE8D7D64E}.xps

Filesize
13.1MB

MD5
cefc25d6a1fb34ed0d739b14cf864bbc

SHA1
2f1d5ab460e06e94d4b771f7eab04f37cefb374e

SHA256
55836d2076c8474c66a546ec0e4873082f2c927f15f5cd7533dc49cc2f1a5c57

SHA512
90f8faa159d5d0e98a019805cdf648092117e9d2b8c0746709c54f9db852a8c16a9b6949645e7a836844c220ff22c521bd3da318c20ba0dd9ccb6fd081273b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
153KB

MD5
252ecb067e86cbb8f96a0fc14549af78

SHA1
3cd1494b6e7e2a407468c29dad356aba948a78d0

SHA256
2e3791894bd05e062620ceeabbd016a04a8be6f16ec0e94a391fdc48bd78c0db

SHA512
c2e93c188e0a076f42ada3566bb0f72e92645fcbafc1eccba60d8da28e9f311d920a24f81a354cbb87a74c56d181bc16658e5a71bda5ec9e1e9dd019d255f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8BA56750-6002-4DA9-AB3D-C53E504E78A8}

Filesize
4KB

MD5
1189134e73dfcbe81681e7680af785b1

SHA1
1166810c90b45f951f5a44bd009511068157e2a7

SHA256
3e841b0a38e9f480547c1a9fd66f10d4188c492c1aa8b7049f659909628d2422

SHA512
60ead273caa98ac703c53c001aaeadb6d0504ec043c8c0ee65de9cac77a5a86c4d9ba9480c98c7f359c53b2e23094742282af3c71ac0347b075d00641b87d708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\iUwG9Yr05.README.txt

Filesize
6KB

MD5
7701b5fcb7c7e2bba1aa5f85fc41db6d

SHA1
a5c871943ad1ea68064ff6ae72c821e8f7888c79

SHA256
7eebda35eac382cfa2cd79b1f5d24305980ecec567afa313fd2977d85cdd3add

SHA512
13f92d97c0968bf9e7fe3bfa6cdd3c22bc6071f2fb08a69ad0d1e04f9d8e47a5e0d9a20d56094affc7ce46c8594283071c22b96ea30186088357d542eeeae62d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4249425805-3408538557-1766626484-1000\DDDDDDDDDDD

Filesize
129B

MD5
436d35959398df3e524da11e07525327

SHA1
a356c33b08bf07209f8bd2d22336859a66cd5477

SHA256
e629794a14b62b7362a2a9d3f709152d8fefd0307c2c27f2712cef02305c4320

SHA512
0343396a7c3cae838f919522420364a796a6d75f53720b547905ff8022d7686384c4c9441187b92930631306f03e5afb9d487f0cb84496a0b8897abb92ca2268

Download Submit
memory/2692-2732-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2871-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2731-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2872-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2733-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2734-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2873-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2763-0x00007FF8F3A30000-0x00007FF8F3A40000-memory.dmp

Filesize
64KB

Download
memory/2692-2764-0x00007FF8F3A30000-0x00007FF8F3A40000-memory.dmp

Filesize
64KB

Download
memory/2692-2874-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/2692-2730-0x00007FF8F5C50000-0x00007FF8F5C60000-memory.dmp

Filesize
64KB

Download
memory/3292-2-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/3292-1-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/3292-2712-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/3292-2713-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/3292-2714-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/3292-0-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download