Overview
overview
10Static
static
10Builds.7z
windows7-x64
1Builds.7z
windows10-2004-x64
1Builds/ESX...me.zip
windows7-x64
1Builds/ESX...me.zip
windows10-2004-x64
1Builds/LBB...ad.zip
windows7-x64
1Builds/LBB...ad.zip
windows10-2004-x64
1LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10Password_dll.txt
windows7-x64
1Password_dll.txt
windows10-2004-x64
1Password_exe.txt
windows7-x64
1Password_exe.txt
windows10-2004-x64
1Password_ps1.txt
windows7-x64
1Password_ps1.txt
windows10-2004-x64
1Builds/LBG...ok.zip
windows7-x64
1Builds/LBG...ok.zip
windows10-2004-x64
1FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
94s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 22:23
Behavioral task
behavioral1
Sample
Builds.7z
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Builds.7z
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_PS1_pass.ps1
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
LBB_pass.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Password_dll.txt
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Password_dll.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Password_exe.txt
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Password_exe.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Password_ps1.txt
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Password_ps1.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
LBB_PS1.ps1
-
Size
466KB
-
MD5
17a7cd1ead2d35ed5d69c71d4fd7386d
-
SHA1
734400d4444b88fe3848c80e3dba2ad9a5155c56
-
SHA256
20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
-
SHA512
7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA
Malware Config
Signatures
-
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation BC89.tmp -
Deletes itself 1 IoCs
pid Process 1532 BC89.tmp -
Executes dropped EXE 1 IoCs
pid Process 1532 BC89.tmp -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kF0wnCN24.bmp" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kF0wnCN24.bmp" powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp -
pid Process 1728 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BC89.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 powershell.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1728 powershell.exe 1728 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp 1532 BC89.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeAssignPrimaryTokenPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: 36 996 powershell.exe Token: SeImpersonatePrivilege 996 powershell.exe Token: SeIncBasePriorityPrivilege 996 powershell.exe Token: SeIncreaseQuotaPrivilege 996 powershell.exe Token: 33 996 powershell.exe Token: SeManageVolumePrivilege 996 powershell.exe Token: SeProfSingleProcessPrivilege 996 powershell.exe Token: SeRestorePrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSystemProfilePrivilege 996 powershell.exe Token: SeTakeOwnershipPrivilege 996 powershell.exe Token: SeShutdownPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1728 wrote to memory of 996 1728 powershell.exe 84 PID 1728 wrote to memory of 996 1728 powershell.exe 84 PID 1728 wrote to memory of 996 1728 powershell.exe 84 PID 996 wrote to memory of 1532 996 powershell.exe 98 PID 996 wrote to memory of 1532 996 powershell.exe 98 PID 996 wrote to memory of 1532 996 powershell.exe 98 PID 996 wrote to memory of 1532 996 powershell.exe 98 PID 1532 wrote to memory of 1020 1532 BC89.tmp 107 PID 1532 wrote to memory of 1020 1532 BC89.tmp 107 PID 1532 wrote to memory of 1020 1532 BC89.tmp 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\LBB_PS1.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\LBB_PS1.ps12⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996 -
C:\ProgramData\BC89.tmp"C:\ProgramData\BC89.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BC89.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
1KB
MD5ca6e5843fe0f30068ddef94b0b542eca
SHA11527177e5ccfe0041918840613af104d2ba8a1c8
SHA2562655330566a9953364d9e13e939b3938e96a7b752d4f65f9586841b777ef137a
SHA5123296343e54290ae3c86d7f2deac6fe3e98a0b63428132aea9ae9b1d17805c7cadea183245e7ae9ee2d785430565989f0cd27a49600e7d8c61db66d151450b0e9
-
Filesize
466KB
MD5066172948f4c530fda2d01fe6e939426
SHA1479457112e79920e80e6812c7c8d8c50cbaaea5b
SHA256f0883de000ae2e09abb2c8f1a2525d5e0e06532739825d45591a5240f95932b8
SHA512cbca767b7f79ce39893c25f418bf3d3d3787d2fa41b7d26275a2049887b07d1227f42d462967f4591ffb2eeb88cdac642f58529abaf7a12d05e9ad02713ef1a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD530aea123931a176e4a10f7835c82ddf2
SHA15b47fe9616a40c70b2c96f5599cdc7de716c7764
SHA2567a4da77aecc6c82b498b546f94f0e609784ff1f8ded78db3be4125f442f8f679
SHA51274117c92bd0a3948684c8cadafd07673d0f8a63d4dfe68f96d36807a871309171d2d5095096bc8bb07e15471e7162a279eb37ebe6c13a648c37ac72d3e4bdd5f