Overview
overview
10Static
static
10ransom/Build.bat
windows7-x64
3ransom/Build.bat
windows10-2004-x64
3ransom/Build/LB3.exe
windows7-x64
9ransom/Build/LB3.exe
windows10-2004-x64
9ransom/Bui...or.exe
windows7-x64
7ransom/Bui...or.exe
windows10-2004-x64
7ransom/Bui...in.dll
windows7-x64
9ransom/Bui...in.dll
windows10-2004-x64
7ransom/Bui...32.dll
windows7-x64
3ransom/Bui...32.dll
windows10-2004-x64
3ransom/Bui...ss.dll
windows7-x64
10ransom/Bui...ss.dll
windows10-2004-x64
10ransom/Bui...ss.exe
windows7-x64
10ransom/Bui...ss.exe
windows10-2004-x64
10ransom/builder.exe
windows7-x64
1ransom/builder.exe
windows10-2004-x64
3ransom/keygen.exe
windows7-x64
1ransom/keygen.exe
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 01:10
Behavioral task
behavioral1
Sample
ransom/Build.bat
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
ransom/Build.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ransom/Build/LB3.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
ransom/Build/LB3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ransom/Build/LB3Decryptor.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ransom/Build/LB3Decryptor.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ransom/Build/LB3_ReflectiveDll_DllMain.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
ransom/Build/LB3_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ransom/Build/LB3_Rundll32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
ransom/Build/LB3_Rundll32.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ransom/Build/LB3_Rundll32_pass.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ransom/Build/LB3_Rundll32_pass.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ransom/Build/LB3_pass.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ransom/Build/LB3_pass.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ransom/builder.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
ransom/builder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ransom/keygen.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
ransom/keygen.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
ransom/Build/LB3.exe
-
Size
145KB
-
MD5
b2cb742a43762106fc03fa1e26fd4f68
-
SHA1
aef4e9199b06b835b6e677c0910d3ed6fdf96ef3
-
SHA256
f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611
-
SHA512
d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975
-
SSDEEP
3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD
Malware Config
Signatures
-
Renames multiple (370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
E678.tmppid Process 2124 E678.tmp -
Executes dropped EXE 1 IoCs
Processes:
E678.tmppid Process 2124 E678.tmp -
Loads dropped DLL 1 IoCs
Processes:
LB3.exepid Process 304 LB3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
LB3.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
LB3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BNzPckH0e.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BNzPckH0e.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
E678.tmppid Process 2124 E678.tmp -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
LB3.exeE678.tmpcmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E678.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
Processes:
LB3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop LB3.exe -
Modifies registry class 5 IoCs
Processes:
LB3.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" LB3.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
LB3.exepid Process 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe 304 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
E678.tmppid Process 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp 2124 E678.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
LB3.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeDebugPrivilege 304 LB3.exe Token: 36 304 LB3.exe Token: SeImpersonatePrivilege 304 LB3.exe Token: SeIncBasePriorityPrivilege 304 LB3.exe Token: SeIncreaseQuotaPrivilege 304 LB3.exe Token: 33 304 LB3.exe Token: SeManageVolumePrivilege 304 LB3.exe Token: SeProfSingleProcessPrivilege 304 LB3.exe Token: SeRestorePrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSystemProfilePrivilege 304 LB3.exe Token: SeTakeOwnershipPrivilege 304 LB3.exe Token: SeShutdownPrivilege 304 LB3.exe Token: SeDebugPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeBackupPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe Token: SeSecurityPrivilege 304 LB3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
LB3.exeE678.tmpdescription pid Process procid_target PID 304 wrote to memory of 2124 304 LB3.exe 33 PID 304 wrote to memory of 2124 304 LB3.exe 33 PID 304 wrote to memory of 2124 304 LB3.exe 33 PID 304 wrote to memory of 2124 304 LB3.exe 33 PID 304 wrote to memory of 2124 304 LB3.exe 33 PID 2124 wrote to memory of 2136 2124 E678.tmp 34 PID 2124 wrote to memory of 2136 2124 E678.tmp 34 PID 2124 wrote to memory of 2136 2124 E678.tmp 34 PID 2124 wrote to memory of 2136 2124 E678.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304 -
C:\ProgramData\E678.tmp"C:\ProgramData\E678.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E678.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5fb049ce8b0ba1b0980ab771688d2b88e
SHA13bda751c709cf6ce3c650b347a24b4f6e3b0a226
SHA256ea008df100f89e5638bd312038a039d28c3647a1791a8961fc0b4b7c299de637
SHA51246c86a4cc06e1f6946edad4eebeca73e27e5380557098e04ac327586bead64a235d21f29965aa88841ce083ba20a324f11bfcbd052fe6aa0bf0c4eea8b2dfc1d
-
Filesize
93B
MD5eaebdbc14b3c2ecdcec757fc361f5589
SHA102ec5589c9f3c671c464671faaf1b8343d849490
SHA2560f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da
SHA51214f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f
-
Filesize
145KB
MD5fb22a0f860407ecbd974c4482da71d24
SHA16f15450b5d506aeb513eda7aa291346d82186a76
SHA256098a689b9c056f5e2d875d93988b9a38dee7d8f0c17b20a067570ada457b33fa
SHA512fe62eb777f86dd9dc96f3972437904f6fd3b2d2620a97e2ba6334a43e9d3ff252100bcbb779135004e354e465c98abb76cd8f3a8bc49a21b8931845242026b07
-
Filesize
129B
MD549192a1339cfb45274f014c35683a130
SHA120e663ff9eafca460fd17ce4ebb6d057e7e8a4ed
SHA25674f9bce0ced316c5d0db8f706f5eabff7d8e149b4e0662aa3e0c626923a92e27
SHA51269275db05aa9bc781c2506bc0838914fb7c2775a529f47df46c8bf2883035a3131826aa8018fc9d52131150818016130c1c573c51871d9979c23120c16c2bdf2
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf