Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Builds.7z
windows7-x64
1Builds.7z
windows10-2004-x64
1Builds/ESX...me.zip
windows7-x64
1Builds/ESX...me.zip
windows10-2004-x64
1Builds/LBB...ad.zip
windows7-x64
1Builds/LBB...ad.zip
windows10-2004-x64
1LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10Password_dll.txt
windows7-x64
1Password_dll.txt
windows10-2004-x64
1Password_exe.txt
windows7-x64
1Password_exe.txt
windows10-2004-x64
1Password_ps1.txt
windows7-x64
1Password_ps1.txt
windows10-2004-x64
1Builds/LBG...ok.zip
windows7-x64
1Builds/LBG...ok.zip
windows10-2004-x64
1FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
20s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 22:23
Behavioral task
behavioral1
Sample
Builds.7z
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
Builds.7z
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
LBB_PS1_pass.ps1
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral12
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
LBB_pass.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Password_dll.txt
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Password_dll.txt
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Password_exe.txt
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral24
Sample
Password_exe.txt
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Password_ps1.txt
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Password_ps1.txt
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 4380 lbg32.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\G: lbg32.exe File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\Z: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\T: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\Y: lbg32.exe File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\X: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.960194faf4a2 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.58a9f2744abc lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.fca25d90e2c8 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat.da5d844e4816 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif.d55a8c494b61 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.67a4c00b0d53 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.1c617eb0bee8 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.8a9118e6e8de lbg32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.f0b043fcf2c4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.c5894fbbb9f3 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.738efe23115b lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.cb8a42bbb903 lbg32.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx.7baed66b6953 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.12849586702e lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt.a7e84c5b4593 lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.b978c2352b7d lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.b39424e7f18f lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat.b42691d8da80 lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.95a432393fe1 lbg32.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.3d6856d1af19 lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.d411c6d8d6e0 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.e431d6888630 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.17687c8bb5e3 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.bbb40c3f39f7 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.3d734db7a10f lbg32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.c2b071eee016 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.c1a96bffe537 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.e227c69280da lbg32.exe File created C:\Program Files\Common Files\System\msadc\es-ES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf.7d8bf517215f lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.cf9854a3dd0b lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.a7bc183b3df3 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.08d4dfeceac4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.2ad2fbcac822 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.cbbd75d9db01 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.421d5c56208e lbg32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.f2d627a2b04a lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.fff5097d6735 lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.e659bcba8472 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.c71edad7dd0f lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.b866dd5c2694 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.dbd50d595b11 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.f91ce6adabf5 lbg32.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.7387f7211f49 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.0bcbc3f9ffc1 lbg32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.1a5f468a88d2 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.8d6ee0213349 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.9cde41100258 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.3589bf6b6903 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.f448bfa89640 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.7650253a34c2 lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4380 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4380 lbg32.exe Token: SeBackupPrivilege 4508 vssvc.exe Token: SeRestorePrivilege 4508 vssvc.exe Token: SeAuditPrivilege 4508 vssvc.exe Token: SeIncreaseQuotaPrivilege 1936 WMIC.exe Token: SeSecurityPrivilege 1936 WMIC.exe Token: SeTakeOwnershipPrivilege 1936 WMIC.exe Token: SeLoadDriverPrivilege 1936 WMIC.exe Token: SeSystemProfilePrivilege 1936 WMIC.exe Token: SeSystemtimePrivilege 1936 WMIC.exe Token: SeProfSingleProcessPrivilege 1936 WMIC.exe Token: SeIncBasePriorityPrivilege 1936 WMIC.exe Token: SeCreatePagefilePrivilege 1936 WMIC.exe Token: SeBackupPrivilege 1936 WMIC.exe Token: SeRestorePrivilege 1936 WMIC.exe Token: SeShutdownPrivilege 1936 WMIC.exe Token: SeDebugPrivilege 1936 WMIC.exe Token: SeSystemEnvironmentPrivilege 1936 WMIC.exe Token: SeRemoteShutdownPrivilege 1936 WMIC.exe Token: SeUndockPrivilege 1936 WMIC.exe Token: SeManageVolumePrivilege 1936 WMIC.exe Token: 33 1936 WMIC.exe Token: 34 1936 WMIC.exe Token: 35 1936 WMIC.exe Token: 36 1936 WMIC.exe Token: SeIncreaseQuotaPrivilege 1936 WMIC.exe Token: SeSecurityPrivilege 1936 WMIC.exe Token: SeTakeOwnershipPrivilege 1936 WMIC.exe Token: SeLoadDriverPrivilege 1936 WMIC.exe Token: SeSystemProfilePrivilege 1936 WMIC.exe Token: SeSystemtimePrivilege 1936 WMIC.exe Token: SeProfSingleProcessPrivilege 1936 WMIC.exe Token: SeIncBasePriorityPrivilege 1936 WMIC.exe Token: SeCreatePagefilePrivilege 1936 WMIC.exe Token: SeBackupPrivilege 1936 WMIC.exe Token: SeRestorePrivilege 1936 WMIC.exe Token: SeShutdownPrivilege 1936 WMIC.exe Token: SeDebugPrivilege 1936 WMIC.exe Token: SeSystemEnvironmentPrivilege 1936 WMIC.exe Token: SeRemoteShutdownPrivilege 1936 WMIC.exe Token: SeUndockPrivilege 1936 WMIC.exe Token: SeManageVolumePrivilege 1936 WMIC.exe Token: 33 1936 WMIC.exe Token: 34 1936 WMIC.exe Token: 35 1936 WMIC.exe Token: 36 1936 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4380 wrote to memory of 4672 4380 lbg32.exe 85 PID 4380 wrote to memory of 4672 4380 lbg32.exe 85 PID 4672 wrote to memory of 1936 4672 cmd.exe 87 PID 4672 wrote to memory of 1936 4672 cmd.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6CBC8F64-EC4A-4F4E-9582-FE10EAD0A5BE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6CBC8F64-EC4A-4F4E-9582-FE10EAD0A5BE}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4