Overview
overview
10Static
static
10Builds.7z
windows7-x64
1Builds.7z
windows10-2004-x64
1Builds/ESX...me.zip
windows7-x64
1Builds/ESX...me.zip
windows10-2004-x64
1Builds/LBB...ad.zip
windows7-x64
1Builds/LBB...ad.zip
windows10-2004-x64
1LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10Password_dll.txt
windows7-x64
1Password_dll.txt
windows10-2004-x64
1Password_exe.txt
windows7-x64
1Password_exe.txt
windows10-2004-x64
1Password_ps1.txt
windows7-x64
1Password_ps1.txt
windows10-2004-x64
1Builds/LBG...ok.zip
windows7-x64
1Builds/LBG...ok.zip
windows10-2004-x64
1FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 22:23
Behavioral task
behavioral1
Sample
Builds.7z
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Builds.7z
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_PS1_pass.ps1
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
LBB_pass.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Password_dll.txt
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Password_dll.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Password_exe.txt
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Password_exe.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Password_ps1.txt
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Password_ps1.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2868 lbg32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\T: lbg32.exe File opened (read-only) \??\Y: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\G: lbg32.exe File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\X: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\Z: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00693_.WMF.80951614e2dc lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153273.WMF.440b4c383a70 lbg32.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216612.WMF.048c8b787e30 lbg32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini.8554d2696f51 lbg32.exe File created C:\Program Files\Microsoft Games\Mahjong\es-ES\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui.f49364b8bac0 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF.9f61fd353f6d lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF.da9b42cac812 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF.7e275a1e6456 lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF.4c7738e0d298 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198447.WMF.ca18d1a6d80e lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099158.WMF.08777cac96c4 lbg32.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt.2da688415319 lbg32.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL.debd60d2c41a lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.654f291719ef lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.69c9a3071def lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Uninstall Information\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui.7da9d713615b lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF.f76c986b6d43 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF.6fabc70513ad lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF.b28736e2d08a lbg32.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF.63fe9ef301ab lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF.7f067a1f2557 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF.9ee07d323c6a lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.142433b8be60 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.cab970e6d80e lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF.2185a7574d1f lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF.bdde607163b9 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105384.WMF.a142e04d4795 lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.146077b8b6e0 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF.ab01a9c9cba1 lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF.b40bbce8ea80 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL.b349f9615399 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSCLT.DLL.db7da5494b11 lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.05a2a4a9ab71 lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2868 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2868 lbg32.exe Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2588 WMIC.exe Token: SeSecurityPrivilege 2588 WMIC.exe Token: SeTakeOwnershipPrivilege 2588 WMIC.exe Token: SeLoadDriverPrivilege 2588 WMIC.exe Token: SeSystemProfilePrivilege 2588 WMIC.exe Token: SeSystemtimePrivilege 2588 WMIC.exe Token: SeProfSingleProcessPrivilege 2588 WMIC.exe Token: SeIncBasePriorityPrivilege 2588 WMIC.exe Token: SeCreatePagefilePrivilege 2588 WMIC.exe Token: SeBackupPrivilege 2588 WMIC.exe Token: SeRestorePrivilege 2588 WMIC.exe Token: SeShutdownPrivilege 2588 WMIC.exe Token: SeDebugPrivilege 2588 WMIC.exe Token: SeSystemEnvironmentPrivilege 2588 WMIC.exe Token: SeRemoteShutdownPrivilege 2588 WMIC.exe Token: SeUndockPrivilege 2588 WMIC.exe Token: SeManageVolumePrivilege 2588 WMIC.exe Token: 33 2588 WMIC.exe Token: 34 2588 WMIC.exe Token: 35 2588 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2628 2868 lbg32.exe 31 PID 2868 wrote to memory of 2628 2868 lbg32.exe 31 PID 2868 wrote to memory of 2628 2868 lbg32.exe 31 PID 2868 wrote to memory of 2628 2868 lbg32.exe 31 PID 2628 wrote to memory of 2740 2628 cmd.exe 33 PID 2628 wrote to memory of 2740 2628 cmd.exe 33 PID 2628 wrote to memory of 2740 2628 cmd.exe 33 PID 2868 wrote to memory of 2636 2868 lbg32.exe 34 PID 2868 wrote to memory of 2636 2868 lbg32.exe 34 PID 2868 wrote to memory of 2636 2868 lbg32.exe 34 PID 2868 wrote to memory of 2636 2868 lbg32.exe 34 PID 2636 wrote to memory of 2588 2636 cmd.exe 36 PID 2636 wrote to memory of 2588 2636 cmd.exe 36 PID 2636 wrote to memory of 2588 2636 cmd.exe 36 PID 2868 wrote to memory of 2768 2868 lbg32.exe 37 PID 2868 wrote to memory of 2768 2868 lbg32.exe 37 PID 2868 wrote to memory of 2768 2868 lbg32.exe 37 PID 2868 wrote to memory of 2768 2868 lbg32.exe 37 PID 2768 wrote to memory of 2784 2768 cmd.exe 39 PID 2768 wrote to memory of 2784 2768 cmd.exe 39 PID 2768 wrote to memory of 2784 2768 cmd.exe 39 PID 2868 wrote to memory of 2712 2868 lbg32.exe 40 PID 2868 wrote to memory of 2712 2868 lbg32.exe 40 PID 2868 wrote to memory of 2712 2868 lbg32.exe 40 PID 2868 wrote to memory of 2712 2868 lbg32.exe 40 PID 2712 wrote to memory of 2596 2712 cmd.exe 42 PID 2712 wrote to memory of 2596 2712 cmd.exe 42 PID 2712 wrote to memory of 2596 2712 cmd.exe 42 PID 2868 wrote to memory of 2500 2868 lbg32.exe 43 PID 2868 wrote to memory of 2500 2868 lbg32.exe 43 PID 2868 wrote to memory of 2500 2868 lbg32.exe 43 PID 2868 wrote to memory of 2500 2868 lbg32.exe 43 PID 2500 wrote to memory of 2560 2500 cmd.exe 45 PID 2500 wrote to memory of 2560 2500 cmd.exe 45 PID 2500 wrote to memory of 2560 2500 cmd.exe 45 PID 2868 wrote to memory of 2216 2868 lbg32.exe 46 PID 2868 wrote to memory of 2216 2868 lbg32.exe 46 PID 2868 wrote to memory of 2216 2868 lbg32.exe 46 PID 2868 wrote to memory of 2216 2868 lbg32.exe 46 PID 2216 wrote to memory of 2656 2216 cmd.exe 48 PID 2216 wrote to memory of 2656 2216 cmd.exe 48 PID 2216 wrote to memory of 2656 2216 cmd.exe 48 PID 2868 wrote to memory of 1780 2868 lbg32.exe 49 PID 2868 wrote to memory of 1780 2868 lbg32.exe 49 PID 2868 wrote to memory of 1780 2868 lbg32.exe 49 PID 2868 wrote to memory of 1780 2868 lbg32.exe 49 PID 1780 wrote to memory of 672 1780 cmd.exe 51 PID 1780 wrote to memory of 672 1780 cmd.exe 51 PID 1780 wrote to memory of 672 1780 cmd.exe 51 PID 2868 wrote to memory of 2244 2868 lbg32.exe 52 PID 2868 wrote to memory of 2244 2868 lbg32.exe 52 PID 2868 wrote to memory of 2244 2868 lbg32.exe 52 PID 2868 wrote to memory of 2244 2868 lbg32.exe 52 PID 2244 wrote to memory of 2232 2244 cmd.exe 54 PID 2244 wrote to memory of 2232 2244 cmd.exe 54 PID 2244 wrote to memory of 2232 2244 cmd.exe 54 PID 2868 wrote to memory of 1692 2868 lbg32.exe 55 PID 2868 wrote to memory of 1692 2868 lbg32.exe 55 PID 2868 wrote to memory of 1692 2868 lbg32.exe 55 PID 2868 wrote to memory of 1692 2868 lbg32.exe 55 PID 1692 wrote to memory of 1992 1692 cmd.exe 57 PID 1692 wrote to memory of 1992 1692 cmd.exe 57 PID 1692 wrote to memory of 1992 1692 cmd.exe 57 PID 2868 wrote to memory of 1184 2868 lbg32.exe 58 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70867F06-7CE1-4635-B3B9-B5A80520A0FD}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70867F06-7CE1-4635-B3B9-B5A80520A0FD}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D11604F1-7F18-47A6-A744-AAD058AB754A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D11604F1-7F18-47A6-A744-AAD058AB754A}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0529A45-DBF9-4DB3-ACB1-3619AD81B6AC}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0529A45-DBF9-4DB3-ACB1-3619AD81B6AC}'" delete3⤵PID:2784
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{062248DE-39B6-423C-A67E-69CAD416E064}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{062248DE-39B6-423C-A67E-69CAD416E064}'" delete3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CF77FEF8-EF61-428A-9041-8F75AEE58A5A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CF77FEF8-EF61-428A-9041-8F75AEE58A5A}'" delete3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46E9FFC8-3268-4C46-AEFC-42F29D38E242}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46E9FFC8-3268-4C46-AEFC-42F29D38E242}'" delete3⤵PID:2656
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865DC7F6-3205-48B5-A10B-026BE0E5CCC3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865DC7F6-3205-48B5-A10B-026BE0E5CCC3}'" delete3⤵PID:672
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{031360AE-AE90-4D09-A5DD-18BD27B4DA8B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{031360AE-AE90-4D09-A5DD-18BD27B4DA8B}'" delete3⤵PID:2232
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34AFA9F9-D8FE-4285-8FEE-F6108327FB60}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34AFA9F9-D8FE-4285-8FEE-F6108327FB60}'" delete3⤵PID:1992
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B26E81A-246E-4812-AB1B-E09311497E4F}'" delete2⤵PID:1184
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B26E81A-246E-4812-AB1B-E09311497E4F}'" delete3⤵PID:1060
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8A5EE2C2-74F2-4F85-B085-352DD22F3F19}'" delete2⤵PID:1928
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8A5EE2C2-74F2-4F85-B085-352DD22F3F19}'" delete3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E004930-4D06-41D2-8DA7-60B418047C45}'" delete2⤵PID:1848
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E004930-4D06-41D2-8DA7-60B418047C45}'" delete3⤵PID:2572
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1E0F523-CDCE-47AA-8040-220077B8638D}'" delete2⤵PID:1948
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1E0F523-CDCE-47AA-8040-220077B8638D}'" delete3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACCD57AE-C108-4B25-9C35-465EA0B0C589}'" delete2⤵PID:2316
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACCD57AE-C108-4B25-9C35-465EA0B0C589}'" delete3⤵PID:552
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8689E06-A6C3-4B92-8ABD-7D142E9F6E63}'" delete2⤵PID:2148
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8689E06-A6C3-4B92-8ABD-7D142E9F6E63}'" delete3⤵PID:912
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{691C44D9-4EB9-405D-88BA-127C26A77CF8}'" delete2⤵PID:704
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{691C44D9-4EB9-405D-88BA-127C26A77CF8}'" delete3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0900A2AB-8F8F-4CFD-9EE8-2BED2485D25E}'" delete2⤵PID:388
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0900A2AB-8F8F-4CFD-9EE8-2BED2485D25E}'" delete3⤵PID:784
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{640F5951-2CA4-4B4A-8286-8786980B46DE}'" delete2⤵PID:272
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{640F5951-2CA4-4B4A-8286-8786980B46DE}'" delete3⤵PID:1556
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4