Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-24.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
71007BF65F8..._ARM64
ubuntu-18.04-amd64
1007BF65F8..._ARM64
debian-9-armhf
1007BF65F8..._ARM64
debian-9-mips
1007BF65F8..._ARM64
debian-9-mipsel
1007BF65F8..._ARMV5
debian-9-armhf
81007BF65F8..._ARMV7
debian-9-armhf
81007BF65F8..._AMD64
ubuntu-24.04-amd64
1007BF65F8...X_I386
ubuntu-22.04-amd64
1007BF65F8...UX_X64
ubuntu-22.04-amd64
81007BF65F8...r_MIPS
debian-9-mips
8Analysis
-
max time kernel
25s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 22:25
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1007BF65F80311D2/locker_ARM64
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral24
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral25
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral26
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral27
Sample
1007BF65F80311D2/locker_ARMV5
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral28
Sample
1007BF65F80311D2/locker_ARMV7
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral29
Sample
1007BF65F80311D2/locker_FREEBSD_AMD64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
1007BF65F80311D2/locker_LINUX_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral31
Sample
1007BF65F80311D2/locker_LINUX_X64
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 4676 lbg32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\Z: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\Y: lbg32.exe File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\X: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\G: lbg32.exe File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\T: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.bc4ef1506298 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.9b940c1f19d7 lbg32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Internet Explorer\ja-JP\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\System\de-DE\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.be1fa2eee4b6 lbg32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.85b234292bd1 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.98c75c7c06b4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.dc69b6704e38 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.e16a889d8755 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.51d486c5d3ed lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.8fe965253f4d lbg32.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.70483b2c12c4 lbg32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.476024ebe5b3 lbg32.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Google\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.bf338f35238d lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.ac61ce404e98 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.41e0a2ede3b5 lbg32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.9e53ce161cae lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.c30fcfb1bf09 lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme.fe25d892e4ca lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\id.pak.820a8bf2e0ca lbg32.exe File created C:\Program Files\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.429cdd56208e lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.ceea27667c0e lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.a7bf1b353bed lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.74e691181ac0 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.1a918896982e lbg32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.507526c4d2ac lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo.152432b9bf61 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.56580dcad4e2 lbg32.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.131a0a83915b lbg32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.af2a86c7ddef lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.29381245bb6d lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\el.pak.94a532383ee0 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.7e4d301224da lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\external_extensions.json.77e3971d1bc5 lbg32.exe File created C:\Program Files\Java\jre-1.8\lib\applet\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.df66ba7f4537 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.d7a773c5fb2d lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.b80db6ecea94 lbg32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.4531776b6993 lbg32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Google\Update\Offline\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.3ce7d8d0a208 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.88018ae4eabc lbg32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini.d6d2075e5466 lbg32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\ieinstal.exe.mui.548cdb484e60 lbg32.exe File created C:\Program Files (x86)\Google\Update\Install\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt.9650c51a14a2 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.22153476403e lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.f5ef1967695f lbg32.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSORES.DLL.1cd8c7908ed8 lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4676 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4676 lbg32.exe Token: SeBackupPrivilege 4596 vssvc.exe Token: SeRestorePrivilege 4596 vssvc.exe Token: SeAuditPrivilege 4596 vssvc.exe Token: SeIncreaseQuotaPrivilege 3760 WMIC.exe Token: SeSecurityPrivilege 3760 WMIC.exe Token: SeTakeOwnershipPrivilege 3760 WMIC.exe Token: SeLoadDriverPrivilege 3760 WMIC.exe Token: SeSystemProfilePrivilege 3760 WMIC.exe Token: SeSystemtimePrivilege 3760 WMIC.exe Token: SeProfSingleProcessPrivilege 3760 WMIC.exe Token: SeIncBasePriorityPrivilege 3760 WMIC.exe Token: SeCreatePagefilePrivilege 3760 WMIC.exe Token: SeBackupPrivilege 3760 WMIC.exe Token: SeRestorePrivilege 3760 WMIC.exe Token: SeShutdownPrivilege 3760 WMIC.exe Token: SeDebugPrivilege 3760 WMIC.exe Token: SeSystemEnvironmentPrivilege 3760 WMIC.exe Token: SeRemoteShutdownPrivilege 3760 WMIC.exe Token: SeUndockPrivilege 3760 WMIC.exe Token: SeManageVolumePrivilege 3760 WMIC.exe Token: 33 3760 WMIC.exe Token: 34 3760 WMIC.exe Token: 35 3760 WMIC.exe Token: 36 3760 WMIC.exe Token: SeIncreaseQuotaPrivilege 3760 WMIC.exe Token: SeSecurityPrivilege 3760 WMIC.exe Token: SeTakeOwnershipPrivilege 3760 WMIC.exe Token: SeLoadDriverPrivilege 3760 WMIC.exe Token: SeSystemProfilePrivilege 3760 WMIC.exe Token: SeSystemtimePrivilege 3760 WMIC.exe Token: SeProfSingleProcessPrivilege 3760 WMIC.exe Token: SeIncBasePriorityPrivilege 3760 WMIC.exe Token: SeCreatePagefilePrivilege 3760 WMIC.exe Token: SeBackupPrivilege 3760 WMIC.exe Token: SeRestorePrivilege 3760 WMIC.exe Token: SeShutdownPrivilege 3760 WMIC.exe Token: SeDebugPrivilege 3760 WMIC.exe Token: SeSystemEnvironmentPrivilege 3760 WMIC.exe Token: SeRemoteShutdownPrivilege 3760 WMIC.exe Token: SeUndockPrivilege 3760 WMIC.exe Token: SeManageVolumePrivilege 3760 WMIC.exe Token: 33 3760 WMIC.exe Token: 34 3760 WMIC.exe Token: 35 3760 WMIC.exe Token: 36 3760 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4676 wrote to memory of 3040 4676 lbg32.exe 85 PID 4676 wrote to memory of 3040 4676 lbg32.exe 85 PID 3040 wrote to memory of 3760 3040 cmd.exe 87 PID 3040 wrote to memory of 3760 3040 cmd.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4