Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 22:25

General

  • Target

    LBB.exe

  • Size

    160KB

  • MD5

    d1986caa455ffa11b46341e837777e52

  • SHA1

    c045c2be676ebba04d7403f3636c7adb685a4011

  • SHA256

    e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407

  • SHA512

    ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359

  • SSDEEP

    3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+

Malware Config

Signatures

  • Renames multiple (173) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LBB.exe
    "C:\Users\Admin\AppData\Local\Temp\LBB.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\ProgramData\DB51.tmp
      "C:\ProgramData\DB51.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB51.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:580
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini

      Filesize

      129B

      MD5

      d9351fdda3b27f2981eff0841fea5de6

      SHA1

      c3c8f2792c4d8ce491ca9e023e04bb6253594d85

      SHA256

      c9f89ff3fcd522285046a918ea460d43649d5a7bc2fb778db9b7f25a14fa7c99

      SHA512

      3a5f093bd5d1c05882a3d05ea8b7035374c81c379fb8d61ca1611d8bbbe2ba3b3fe345a699bb5ad9d8078626193668b3b5c259ba113de73c6e7159e0dc9d7faf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD

      Filesize

      160KB

      MD5

      88e4dafad354791c4675022aab0d3459

      SHA1

      57d946ffd384a86b2ef6d6a2ced159a36972e75b

      SHA256

      ec4e68c8c09420bd93aa06485dde930d48411b189e14b0579f39e002dd925dd5

      SHA512

      54184235933b0b2c12f9cb9d714d3755dd9fabf6e8153749662757a643c50c8d3e896a8d922e46f2fd6ba82f5f91c73e3325ce68bef82a71b63bf915d6256d87

    • C:\Users\kF0wnCN24.README.txt

      Filesize

      6KB

      MD5

      ccc27d1a265e0b9def5571b4b5c1dea5

      SHA1

      3593f5e0240a60243fb1499525a404702c1d1a7c

      SHA256

      4a32c33717b1d4b4f76a5a545be7b4f51277ed1dee4381e52ce526d3774f53ad

      SHA512

      ed42c6e88a9e6ecf3845e23e999c48ec0eee3b6b3b3de9b224bc3a5c5d5e370c3bc86f3463ea888d78c6cd806b3a05093bed82655dff3c00cbc3da73e906381f

    • F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      d4dfb87dbdeef12c62446658e41906b0

      SHA1

      b870a7256f50a36abe19ab4a612e46c1fb93acce

      SHA256

      ebd1dd5416aa2b57bca2500cd3ffa921f62ddf3cd3b7187272fc148e48ec2ff6

      SHA512

      b6942eca9f1fd6af78b6085d41b076eb851bfcb04b2ce606154f25f4494eb065f795ad09141fc65f0e60444509916d6cf940af900b29d8e060fc7bd5549379ff

    • \ProgramData\DB51.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/1788-307-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/1788-306-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/1788-305-0x0000000000290000-0x00000000002D0000-memory.dmp

      Filesize

      256KB

    • memory/1788-304-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/1788-339-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/1788-338-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/2344-0-0x00000000021A0000-0x00000000021E0000-memory.dmp

      Filesize

      256KB