Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-24.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
71007BF65F8..._ARM64
ubuntu-18.04-amd64
1007BF65F8..._ARM64
debian-9-armhf
1007BF65F8..._ARM64
debian-9-mips
1007BF65F8..._ARM64
debian-9-mipsel
1007BF65F8..._ARMV5
debian-9-armhf
81007BF65F8..._ARMV7
debian-9-armhf
81007BF65F8..._AMD64
ubuntu-24.04-amd64
1007BF65F8...X_I386
ubuntu-22.04-amd64
1007BF65F8...UX_X64
ubuntu-22.04-amd64
81007BF65F8...r_MIPS
debian-9-mips
8Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 22:25
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1007BF65F80311D2/locker_ARM64
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral24
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral25
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral26
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral27
Sample
1007BF65F80311D2/locker_ARMV5
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral28
Sample
1007BF65F80311D2/locker_ARMV7
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral29
Sample
1007BF65F80311D2/locker_FREEBSD_AMD64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
1007BF65F80311D2/locker_LINUX_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral31
Sample
1007BF65F80311D2/locker_LINUX_X64
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2948 lbg32.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Restore-My-Files.txt lbg32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\Z: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\X: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\Y: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\T: lbg32.exe File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\G: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.e140a28d8355 lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF.d4a275f8fa20 lbg32.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF.048c8b787e30 lbg32.exe File opened for modification C:\Program Files\DismountClose.temp.7353232137c9 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL.5e114c525c6a lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF.8943c96b6d43 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF.d2e53446702e lbg32.exe File opened for modification C:\Program Files\SyncWrite.xltm.482b60647e8c lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF.c41cdbd8de10 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171685.WMF.9048db0c72a4 lbg32.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE.7055262432cc lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.b5ce78696b81 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF.50491acc32e4 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240291.WMF.4f7935e5df8d lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG.96de4b060c5e lbg32.exe File created C:\Program Files\Microsoft Games\Hearts\en-US\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE.4b135b292f81 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.12263782b06a lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF.effd117d7725 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF.12e8f98eb0e6 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF.09b5bfaf9547 lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF.8f23af2533fd lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF.3001325c5204 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239973.WMF.e76b8f9d9b55 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296277.WMF.3e5a67f6ec3e lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.fe9b66b6acfe lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REVERSE.DLL.778bff2d2b45 lbg32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.1a978e9a9852 lbg32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.1e5b46968cde lbg32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\System\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.317547a7bd0f lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID.6650350a04f2 lbg32.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF.885fd41c1644 lbg32.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja.2adbf2faf822 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EMSMDB32.DLL.803ebd141ecc lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub.1afee78a88d2 lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF.0a7970a698ce lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF.9141d37f75a7 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172035.WMF.bcd669706288 lbg32.exe File created C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF.bdd9677361bb lbg32.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.536737c1ffa9 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF.d8855ebcbaf4 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214948.WMF.7a215816184e lbg32.exe File created C:\Program Files\Google\Chrome\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt.c5e72177693f lbg32.exe File created C:\Program Files (x86)\Common Files\DESIGNER\Restore-My-Files.txt lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2948 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2948 lbg32.exe Token: SeBackupPrivilege 2616 vssvc.exe Token: SeRestorePrivilege 2616 vssvc.exe Token: SeAuditPrivilege 2616 vssvc.exe Token: SeIncreaseQuotaPrivilege 2000 WMIC.exe Token: SeSecurityPrivilege 2000 WMIC.exe Token: SeTakeOwnershipPrivilege 2000 WMIC.exe Token: SeLoadDriverPrivilege 2000 WMIC.exe Token: SeSystemProfilePrivilege 2000 WMIC.exe Token: SeSystemtimePrivilege 2000 WMIC.exe Token: SeProfSingleProcessPrivilege 2000 WMIC.exe Token: SeIncBasePriorityPrivilege 2000 WMIC.exe Token: SeCreatePagefilePrivilege 2000 WMIC.exe Token: SeBackupPrivilege 2000 WMIC.exe Token: SeRestorePrivilege 2000 WMIC.exe Token: SeShutdownPrivilege 2000 WMIC.exe Token: SeDebugPrivilege 2000 WMIC.exe Token: SeSystemEnvironmentPrivilege 2000 WMIC.exe Token: SeRemoteShutdownPrivilege 2000 WMIC.exe Token: SeUndockPrivilege 2000 WMIC.exe Token: SeManageVolumePrivilege 2000 WMIC.exe Token: 33 2000 WMIC.exe Token: 34 2000 WMIC.exe Token: 35 2000 WMIC.exe Token: SeIncreaseQuotaPrivilege 2000 WMIC.exe Token: SeSecurityPrivilege 2000 WMIC.exe Token: SeTakeOwnershipPrivilege 2000 WMIC.exe Token: SeLoadDriverPrivilege 2000 WMIC.exe Token: SeSystemProfilePrivilege 2000 WMIC.exe Token: SeSystemtimePrivilege 2000 WMIC.exe Token: SeProfSingleProcessPrivilege 2000 WMIC.exe Token: SeIncBasePriorityPrivilege 2000 WMIC.exe Token: SeCreatePagefilePrivilege 2000 WMIC.exe Token: SeBackupPrivilege 2000 WMIC.exe Token: SeRestorePrivilege 2000 WMIC.exe Token: SeShutdownPrivilege 2000 WMIC.exe Token: SeDebugPrivilege 2000 WMIC.exe Token: SeSystemEnvironmentPrivilege 2000 WMIC.exe Token: SeRemoteShutdownPrivilege 2000 WMIC.exe Token: SeUndockPrivilege 2000 WMIC.exe Token: SeManageVolumePrivilege 2000 WMIC.exe Token: 33 2000 WMIC.exe Token: 34 2000 WMIC.exe Token: 35 2000 WMIC.exe Token: SeIncreaseQuotaPrivilege 1432 WMIC.exe Token: SeSecurityPrivilege 1432 WMIC.exe Token: SeTakeOwnershipPrivilege 1432 WMIC.exe Token: SeLoadDriverPrivilege 1432 WMIC.exe Token: SeSystemProfilePrivilege 1432 WMIC.exe Token: SeSystemtimePrivilege 1432 WMIC.exe Token: SeProfSingleProcessPrivilege 1432 WMIC.exe Token: SeIncBasePriorityPrivilege 1432 WMIC.exe Token: SeCreatePagefilePrivilege 1432 WMIC.exe Token: SeBackupPrivilege 1432 WMIC.exe Token: SeRestorePrivilege 1432 WMIC.exe Token: SeShutdownPrivilege 1432 WMIC.exe Token: SeDebugPrivilege 1432 WMIC.exe Token: SeSystemEnvironmentPrivilege 1432 WMIC.exe Token: SeRemoteShutdownPrivilege 1432 WMIC.exe Token: SeUndockPrivilege 1432 WMIC.exe Token: SeManageVolumePrivilege 1432 WMIC.exe Token: 33 1432 WMIC.exe Token: 34 1432 WMIC.exe Token: 35 1432 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 1928 2948 lbg32.exe 33 PID 2948 wrote to memory of 1928 2948 lbg32.exe 33 PID 2948 wrote to memory of 1928 2948 lbg32.exe 33 PID 2948 wrote to memory of 1928 2948 lbg32.exe 33 PID 1928 wrote to memory of 2000 1928 cmd.exe 35 PID 1928 wrote to memory of 2000 1928 cmd.exe 35 PID 1928 wrote to memory of 2000 1928 cmd.exe 35 PID 2948 wrote to memory of 2064 2948 lbg32.exe 36 PID 2948 wrote to memory of 2064 2948 lbg32.exe 36 PID 2948 wrote to memory of 2064 2948 lbg32.exe 36 PID 2948 wrote to memory of 2064 2948 lbg32.exe 36 PID 2064 wrote to memory of 1432 2064 cmd.exe 38 PID 2064 wrote to memory of 1432 2064 cmd.exe 38 PID 2064 wrote to memory of 1432 2064 cmd.exe 38 PID 2948 wrote to memory of 1972 2948 lbg32.exe 39 PID 2948 wrote to memory of 1972 2948 lbg32.exe 39 PID 2948 wrote to memory of 1972 2948 lbg32.exe 39 PID 2948 wrote to memory of 1972 2948 lbg32.exe 39 PID 1972 wrote to memory of 2912 1972 cmd.exe 41 PID 1972 wrote to memory of 2912 1972 cmd.exe 41 PID 1972 wrote to memory of 2912 1972 cmd.exe 41 PID 2948 wrote to memory of 2784 2948 lbg32.exe 42 PID 2948 wrote to memory of 2784 2948 lbg32.exe 42 PID 2948 wrote to memory of 2784 2948 lbg32.exe 42 PID 2948 wrote to memory of 2784 2948 lbg32.exe 42 PID 2784 wrote to memory of 328 2784 cmd.exe 44 PID 2784 wrote to memory of 328 2784 cmd.exe 44 PID 2784 wrote to memory of 328 2784 cmd.exe 44 PID 2948 wrote to memory of 1088 2948 lbg32.exe 45 PID 2948 wrote to memory of 1088 2948 lbg32.exe 45 PID 2948 wrote to memory of 1088 2948 lbg32.exe 45 PID 2948 wrote to memory of 1088 2948 lbg32.exe 45 PID 1088 wrote to memory of 1620 1088 cmd.exe 47 PID 1088 wrote to memory of 1620 1088 cmd.exe 47 PID 1088 wrote to memory of 1620 1088 cmd.exe 47 PID 2948 wrote to memory of 1296 2948 lbg32.exe 48 PID 2948 wrote to memory of 1296 2948 lbg32.exe 48 PID 2948 wrote to memory of 1296 2948 lbg32.exe 48 PID 2948 wrote to memory of 1296 2948 lbg32.exe 48 PID 1296 wrote to memory of 1732 1296 cmd.exe 50 PID 1296 wrote to memory of 1732 1296 cmd.exe 50 PID 1296 wrote to memory of 1732 1296 cmd.exe 50 PID 2948 wrote to memory of 480 2948 lbg32.exe 51 PID 2948 wrote to memory of 480 2948 lbg32.exe 51 PID 2948 wrote to memory of 480 2948 lbg32.exe 51 PID 2948 wrote to memory of 480 2948 lbg32.exe 51 PID 480 wrote to memory of 2600 480 cmd.exe 53 PID 480 wrote to memory of 2600 480 cmd.exe 53 PID 480 wrote to memory of 2600 480 cmd.exe 53 PID 2948 wrote to memory of 1132 2948 lbg32.exe 54 PID 2948 wrote to memory of 1132 2948 lbg32.exe 54 PID 2948 wrote to memory of 1132 2948 lbg32.exe 54 PID 2948 wrote to memory of 1132 2948 lbg32.exe 54 PID 1132 wrote to memory of 1624 1132 cmd.exe 56 PID 1132 wrote to memory of 1624 1132 cmd.exe 56 PID 1132 wrote to memory of 1624 1132 cmd.exe 56 PID 2948 wrote to memory of 600 2948 lbg32.exe 57 PID 2948 wrote to memory of 600 2948 lbg32.exe 57 PID 2948 wrote to memory of 600 2948 lbg32.exe 57 PID 2948 wrote to memory of 600 2948 lbg32.exe 57 PID 600 wrote to memory of 592 600 cmd.exe 59 PID 600 wrote to memory of 592 600 cmd.exe 59 PID 600 wrote to memory of 592 600 cmd.exe 59 PID 2948 wrote to memory of 2160 2948 lbg32.exe 60 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete3⤵PID:328
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete3⤵PID:592
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete2⤵PID:2160
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete3⤵PID:1712
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete2⤵PID:2352
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete2⤵PID:2364
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete2⤵PID:1224
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete3⤵PID:708
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete2⤵PID:1612
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete3⤵PID:876
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete2⤵PID:1236
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete2⤵PID:1512
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete2⤵PID:1492
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete2⤵PID:1908
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete3⤵PID:2456
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4