Malware Analysis Report

2025-01-22 20:48

Sample ID 241125-bjt7gswjcj
Target ransom.zip
SHA256 2882cbed0fb11c95d01b487a85338f4ec25fd44fc3f0936d68af4832d1be9a54
Tags
lockbit blackmatter discovery spyware stealer ransomware defense_evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2882cbed0fb11c95d01b487a85338f4ec25fd44fc3f0936d68af4832d1be9a54

Threat Level: Known bad

The file ransom.zip was found to be: Known bad.

Malicious Activity Summary

lockbit blackmatter discovery spyware stealer ransomware defense_evasion

Blackmatter family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (370) files with added filename extension

Renames multiple (278) files with added filename extension

Renames multiple (644) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Indicator Removal: File Deletion

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 01:10

Signatures

Blackmatter family

blackmatter

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ransom\Build.bat"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 2376 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 2376 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 2376 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 2376 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ransom\Build.bat"

C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\ransom\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\ransom\Build\priv.key

MD5 7394c82605c05303014951ffd2a09c56
SHA1 c97c1a435a6498d9c22a6e55551b2e6843645c5f
SHA256 657399280a211394f0e7789680b88e428a999458fb8d29494648fe1805ad198d
SHA512 0364817ded401c16e193c6c72b1d73e2e1e07aac300b009b895109f4fb988958818d6949a18e9a697385624b8b7f21e953b73559e85ca1b8258eac5784f3bc61

C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key

MD5 0a890fa1564a45b37d9580836d476469
SHA1 11ad6073ea0804e628603cb65d5b60d7ab3820ec
SHA256 c5f3810ec58ea47aca34c246ced34ff0b70dbd87dc86c0dde081981b9e8ba47c
SHA512 fb831654bcd3bf3d066c075184d73e652973098aae741da561e10b57ad8de704ba97059f50e4c599fd9366bf527aa820ccb3044d1a0fda09e963be86911fa3ad

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#1

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3656 wrote to memory of 5056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 5056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 5056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/5056-0-0x0000000010000000-0x0000000010027000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe"

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 264

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2016-0-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2016-1-0x0000000000400000-0x0000000000427000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ransom\Build.bat"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 3460 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 3460 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe
PID 3460 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe
PID 3460 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ransom\Build.bat"

C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\ransom\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ransom\Build\priv.key

MD5 836cbc1c4dad9ffd4abdb27ed98d57f7
SHA1 b84dfb08cc0a70e34360bf518ca3be002dabe8cb
SHA256 679e662ae76cf37058561fe2b5353b7eb1a0156ea26542630aeafba5740a6415
SHA512 54334d7a604942b86961ddb3c93081211f4f870607019e84b185d0a15359e0f7f6271db5045cdd9466c6737042a61c5b1727fae12a6aad447a955f9c5f9316cc

C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key

MD5 dd4d23840e3a9fc3f8dfad3051bbe60f
SHA1 41135caa32932400b6475f840a3c79eac1ce433e
SHA256 3c551ac76f0dc38546d1045d3afbd4ebca5d82d452ff1160741459d76d0248b6
SHA512 b3f71b68c41968cf4ccab106a6e4c7346086ed140234bedbfb9355e3c8d36328f3786cf74f7833019e401032931ecb40a6b0ab9ae93878d1ca98f1bcf3760ab6

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe"

Signatures

Renames multiple (644) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\ProgramData\F7EE.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\F7EE.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\F7EE.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP_g0wch1cvsb6mw21ot1gv678d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPgu7wj58vdjiait2q2grt7m0gc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPf1wegatf3az8h4dnx8uefcg3.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BNzPckH0e.bmp" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BNzPckH0e.bmp" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\F7EE.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\F7EE.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{495F6490-D799-4AD2-9889-75CFB19337A9}.xps" 133769706805470000

C:\ProgramData\F7EE.tmp

"C:\ProgramData\F7EE.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F7EE.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/5044-0-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/5044-2-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/5044-1-0x00000000028F0000-0x0000000002900000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\KKKKKKKKKKK

MD5 9b3c31a8949f5c82ac5073fc31de9101
SHA1 0b3747de63da3f854eb3d6bd1dba4b21b3573aa4
SHA256 89648f10bab3d6834cd277c398dce474174c47f97bf8749d41bfbc7c9e06a6e2
SHA512 a21277bfdd50ca31d1cf1d8d37e89c16248db48f3188da4171b5910bf73ddb2937c6999db74be04cf87f15a6cf900b54fb27a285574449ed0bea6a53bc909938

F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD

MD5 7443e897a8d5b4a03f8b066c5f8d0be4
SHA1 b14e87791e206bd59bf369e787bad49d2b56e053
SHA256 8f5f9bf99b3468090ebab7f5077efa931e24c43cd53d229ef86b7e9d7734ce0e
SHA512 0747b8a08b9f274d3354f0b759821d907849e4024ce8cba9f3ceb978774b1d6b5283c8a2cd7a4ccc8c9f7639c157e17c39c0dff839bd985d05064fc0dea4047c

C:\BNzPckH0e.README.txt

MD5 eaebdbc14b3c2ecdcec757fc361f5589
SHA1 02ec5589c9f3c671c464671faaf1b8343d849490
SHA256 0f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da
SHA512 14f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f

memory/5044-2984-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/5044-2983-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/5044-2982-0x00000000028F0000-0x0000000002900000-memory.dmp

C:\ProgramData\F7EE.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4744-3000-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/4744-3002-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/4744-3003-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/4744-3001-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/4744-3004-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ransom\Build\DDDDDDD

MD5 92444549eafc41f7eccab5004a5ded3d
SHA1 7610633764c9165526b9f79419cbc6e51348fd8b
SHA256 6a5d41451302c7f8d556a712c2a07921ad548d9115cc61feba51c3098ec3d4e2
SHA512 647a1d051b8d7da14772ccf2aefa595e1536f613491b6048133e58bebff13b63ec03b53e5fc8d4059dbd06321ee7404e6223738c8f72a02c6f93a27d63cab853

memory/4744-3033-0x00007FF843660000-0x00007FF843670000-memory.dmp

memory/4744-3034-0x00007FF843660000-0x00007FF843670000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 c2e4d23d1575ad62d11875d6e58d9813
SHA1 851e56817200fde5a4721ab1894c85238f8aff9b
SHA256 fae7dac3b33afa8338b61c37759a8fd21c4e8f7cb03be7f40611a5b318208e2d
SHA512 fe05ec86c2f95beb5e6c7fa63f6a421fa9fb4c5b191225e9b05ceefba5b1419b22f34cbbc72bbd10aa64e17eb4606d4f1d7221ef22b138da1963f4ea3100a4c5

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3900 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3900 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3900 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20241010-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20240729-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe"

Signatures

Renames multiple (370) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\E678.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\E678.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BNzPckH0e.bmp" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BNzPckH0e.bmp" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\E678.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\E678.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe"

C:\ProgramData\E678.tmp

"C:\ProgramData\E678.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E678.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/304-0-0x0000000000D50000-0x0000000000D90000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini

MD5 fb049ce8b0ba1b0980ab771688d2b88e
SHA1 3bda751c709cf6ce3c650b347a24b4f6e3b0a226
SHA256 ea008df100f89e5638bd312038a039d28c3647a1791a8961fc0b4b7c299de637
SHA512 46c86a4cc06e1f6946edad4eebeca73e27e5380557098e04ac327586bead64a235d21f29965aa88841ce083ba20a324f11bfcbd052fe6aa0bf0c4eea8b2dfc1d

F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\DDDDDDDDDDD

MD5 49192a1339cfb45274f014c35683a130
SHA1 20e663ff9eafca460fd17ce4ebb6d057e7e8a4ed
SHA256 74f9bce0ced316c5d0db8f706f5eabff7d8e149b4e0662aa3e0c626923a92e27
SHA512 69275db05aa9bc781c2506bc0838914fb7c2775a529f47df46c8bf2883035a3131826aa8018fc9d52131150818016130c1c573c51871d9979c23120c16c2bdf2

C:\BNzPckH0e.README.txt

MD5 eaebdbc14b3c2ecdcec757fc361f5589
SHA1 02ec5589c9f3c671c464671faaf1b8343d849490
SHA256 0f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da
SHA512 14f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f

\ProgramData\E678.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2124-897-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2124-901-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2124-900-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2124-899-0x00000000022B0000-0x00000000022F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ransom\Build\DDDDDDD

MD5 fb22a0f860407ecbd974c4482da71d24
SHA1 6f15450b5d506aeb513eda7aa291346d82186a76
SHA256 098a689b9c056f5e2d875d93988b9a38dee7d8f0c17b20a067570ada457b33fa
SHA512 fe62eb777f86dd9dc96f3972437904f6fd3b2d2620a97e2ba6334a43e9d3ff252100bcbb779135004e354e465c98abb76cd8f3a8bc49a21b8931845242026b07

memory/2124-931-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2124-930-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20241010-en

Max time kernel

72s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll,#1

Signatures

Renames multiple (278) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\BE21.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\BE21.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\BE21.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\BE21.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\BE21.tmp
PID 2044 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\BE21.tmp
PID 2044 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\BE21.tmp
PID 2044 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\BE21.tmp
PID 2044 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\BE21.tmp
PID 1752 wrote to memory of 2016 N/A C:\ProgramData\BE21.tmp C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2016 N/A C:\ProgramData\BE21.tmp C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2016 N/A C:\ProgramData\BE21.tmp C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2016 N/A C:\ProgramData\BE21.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll,#1

C:\ProgramData\BE21.tmp

"C:\ProgramData\BE21.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BE21.tmp >> NUL

Network

N/A

Files

memory/2044-0-0x0000000001DF0000-0x0000000001E30000-memory.dmp

C:\BNzPckH0e.README.txt

MD5 eaebdbc14b3c2ecdcec757fc361f5589
SHA1 02ec5589c9f3c671c464671faaf1b8343d849490
SHA256 0f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da
SHA512 14f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f

memory/2044-588-0x0000000003D50000-0x0000000003D90000-memory.dmp

\ProgramData\BE21.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1752-615-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1752-614-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1752-613-0x0000000000230000-0x0000000000270000-memory.dmp

memory/1752-612-0x0000000000230000-0x0000000000270000-memory.dmp

memory/1752-611-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2044-616-0x0000000001DF0000-0x0000000001E30000-memory.dmp

memory/2044-617-0x0000000003D50000-0x0000000003D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ransom\Build\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 a0a732e25c64a2826bec452b47fd6544
SHA1 820ba8431a81824ae28551c105767ee20fafb50c
SHA256 42d0bc63b6055bb6e33bfbe1cbee512548be17309923202793bc33d550c5b46d
SHA512 53abd6c9377eeb505ead6b6a062889beb45f0d12940c791f6efc9ae2cdf58a320cc66aa29d0c59ef44cdb0f1c9e6756785bb19cf9b4766d5ee5f562139b37df8

memory/1752-647-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1752-646-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll,#1

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\ProgramData\A400.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A400.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A400.tmp N/A

Indicator Removal: File Deletion

defense_evasion

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\A400.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\A400.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4320 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4320 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\A400.tmp
PID 4780 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\A400.tmp
PID 4780 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\A400.tmp
PID 4780 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\A400.tmp
PID 3124 wrote to memory of 2324 N/A C:\ProgramData\A400.tmp C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2324 N/A C:\ProgramData\A400.tmp C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2324 N/A C:\ProgramData\A400.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll,#1

C:\ProgramData\A400.tmp

"C:\ProgramData\A400.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A400.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4780-0-0x0000000002470000-0x0000000002480000-memory.dmp

memory/4780-1-0x0000000002470000-0x0000000002480000-memory.dmp

memory/4780-2-0x0000000002470000-0x0000000002480000-memory.dmp

memory/4780-4-0x0000000002D90000-0x0000000002DA0000-memory.dmp

C:\ProgramData\A400.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3124-14-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3124-13-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3124-12-0x0000000002370000-0x0000000002380000-memory.dmp

memory/3124-11-0x0000000002370000-0x0000000002380000-memory.dmp

memory/3124-10-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ransom\Build\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 3dc467439fce2d2171c6697c0f174523
SHA1 504acf5c140f1da11cf2ddadc131087e0a2d8434
SHA256 b31050da4f8463b0f0f7ac23d0880bf08c37dc9427a8eee22db185b8442cf961
SHA512 ddf5404b3cb9dc7d0ec024bac309e2155a79f167a0603c6ae41bed0fc1e187933b9cc920b2a4bb98d85a387304db7a1b40a65fa523f33e05fec3a983f07d5c9e

memory/3124-44-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/3124-43-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#1

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll,#1

Network

N/A

Files

memory/2076-0-0x0000000010000000-0x0000000010027000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20240903-en

Max time kernel

16s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe"

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 88

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x0000000000427000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-25 01:10

Reported

2024-11-25 01:13

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\builder.exe"

Network

N/A

Files

N/A