Analysis
-
max time kernel
366s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 15:00
Behavioral task
behavioral1
Sample
LB3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
LB3.exe
Resource
win10v2004-20241007-en
General
-
Target
LB3.exe
-
Size
146KB
-
MD5
e77ed091631caf183dc4141fe8fb51f2
-
SHA1
bbd0c5aba9c95209d29e5b59113e0bae203bf6d6
-
SHA256
54ed464306c9e21af8bbef2b8b95a1f3762722ddbc9b8e1ad9661760909f6975
-
SHA512
3751d62156eaed483cff9f589d2dba6871dabcae61bdfe9f3629cfc49529697521e4cd39f572b99ae6dab189d6e70c0d9be2ca96558060c4cd7b10faf617d3c6
-
SSDEEP
3072:XqJogYkcSNm9V7Dvjh4eL2OAXrsrbWnUroWT:Xq2kc4m9tDj2Fbs2io
Malware Config
Signatures
-
Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 524 EDA9.tmp -
Executes dropped EXE 1 IoCs
pid Process 524 EDA9.tmp -
Loads dropped DLL 1 IoCs
pid Process 2556 LB3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\9XjtSQqIP.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\9XjtSQqIP.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 524 EDA9.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDA9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\9XjtSQqIP LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\9XjtSQqIP\DefaultIcon\ = "C:\\ProgramData\\9XjtSQqIP.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.9XjtSQqIP LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.9XjtSQqIP\ = "9XjtSQqIP" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\9XjtSQqIP\DefaultIcon LB3.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1512 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe 2556 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp 524 EDA9.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeDebugPrivilege 2556 LB3.exe Token: 36 2556 LB3.exe Token: SeImpersonatePrivilege 2556 LB3.exe Token: SeIncBasePriorityPrivilege 2556 LB3.exe Token: SeIncreaseQuotaPrivilege 2556 LB3.exe Token: 33 2556 LB3.exe Token: SeManageVolumePrivilege 2556 LB3.exe Token: SeProfSingleProcessPrivilege 2556 LB3.exe Token: SeRestorePrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSystemProfilePrivilege 2556 LB3.exe Token: SeTakeOwnershipPrivilege 2556 LB3.exe Token: SeShutdownPrivilege 2556 LB3.exe Token: SeDebugPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeBackupPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe Token: SeSecurityPrivilege 2556 LB3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2556 wrote to memory of 524 2556 LB3.exe 33 PID 2556 wrote to memory of 524 2556 LB3.exe 33 PID 2556 wrote to memory of 524 2556 LB3.exe 33 PID 2556 wrote to memory of 524 2556 LB3.exe 33 PID 2556 wrote to memory of 524 2556 LB3.exe 33 PID 524 wrote to memory of 1460 524 EDA9.tmp 34 PID 524 wrote to memory of 1460 524 EDA9.tmp 34 PID 524 wrote to memory of 1460 524 EDA9.tmp 34 PID 524 wrote to memory of 1460 524 EDA9.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\ProgramData\EDA9.tmp"C:\ProgramData\EDA9.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EDA9.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1460
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\9XjtSQqIP.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1512
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52db259c0bf04364ce711655f467f3c83
SHA11e36d37f92d3cf5b4d587a19680025129446b0ea
SHA256899878c6c7a7c21e37332d4a38c2a05497351f8e1057cb6c2f7ac956cd5dcf81
SHA5124ca5ca6828f1d23276884c09ab987534bcad35a3d60ee6aa2d53fb0f10e69e5d0cbd15ef0298c5eaf8414495189e0de2667f1c5157e99e1dba88b62a99fde07d
-
Filesize
376B
MD5fc9c064d2cdf480f3433f956ef6b8872
SHA1b3447c96d398ffc75b5c6603abc511666d78d2fa
SHA256b70362efb225063b970f4ebca73a1eb53e1f680b8bc082ba27f34cbc79c05e4f
SHA512aaeb15ca236723112fa9682119790cb8288f0c678da6588bc0dc0d42e8dacd30ba13de6263cf48e6c9df19e20cd184e2da8578eeec650bc8341398d859d4b9c8
-
Filesize
146KB
MD52e694ede69e807161bd928bc7d544fb9
SHA1c049a9b89e11b251a661283e8a90d02903d6a223
SHA256b20f1611c21b826fc36ce1c8da028ea9d5ed1da4d837b8c38df7c4821b95c2c7
SHA512544d6c192368860913e82f66421a1b73b34c2407d3fdf38ee0752bcd19871a8ea7cd94e13df78c79c015f112f1f510649e072fba8402f4e173eadb4709b6fd49
-
Filesize
129B
MD58b32a10286b5cb2f1f92388f994848af
SHA187c0130af8907f1e50db8f1c9fef606764b818de
SHA256b11eb354d084ca0730797db825e9230698ef3ebb9076bb1b3e941010a2be107f
SHA51272589c73d5279cbfbf93fa42a4ae21b5d66ec4a3f6583ab75eb84e3bdd6fa5f309124a20f985b2cd712d594cbbaf7fc843529d15b4e671b04afe170ab2985533
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf