Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-24.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
71007BF65F8..._ARM64
ubuntu-18.04-amd64
1007BF65F8..._ARM64
debian-9-armhf
1007BF65F8..._ARM64
debian-9-mips
1007BF65F8..._ARM64
debian-9-mipsel
1007BF65F8..._ARMV5
debian-9-armhf
81007BF65F8..._ARMV7
debian-9-armhf
81007BF65F8..._AMD64
ubuntu-24.04-amd64
1007BF65F8...X_I386
ubuntu-22.04-amd64
1007BF65F8...UX_X64
ubuntu-22.04-amd64
81007BF65F8...r_MIPS
debian-9-mips
8Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 22:25
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1007BF65F80311D2/locker_ARM64
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral24
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral25
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral26
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral27
Sample
1007BF65F80311D2/locker_ARMV5
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral28
Sample
1007BF65F80311D2/locker_ARMV7
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral29
Sample
1007BF65F80311D2/locker_FREEBSD_AMD64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
1007BF65F80311D2/locker_LINUX_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral31
Sample
1007BF65F80311D2/locker_LINUX_X64
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
LBB.exe
-
Size
160KB
-
MD5
d1986caa455ffa11b46341e837777e52
-
SHA1
c045c2be676ebba04d7403f3636c7adb685a4011
-
SHA256
e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407
-
SHA512
ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359
-
SSDEEP
3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+
Malware Config
Signatures
-
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1788 DB51.tmp -
Executes dropped EXE 1 IoCs
pid Process 1788 DB51.tmp -
Loads dropped DLL 1 IoCs
pid Process 2344 LBB.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini LBB.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini LBB.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kF0wnCN24.bmp" LBB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kF0wnCN24.bmp" LBB.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LBB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DB51.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallpaperStyle = "10" LBB.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop LBB.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 LBB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" LBB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon LBB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 LBB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" LBB.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe 2344 LBB.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp 1788 DB51.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeDebugPrivilege 2344 LBB.exe Token: 36 2344 LBB.exe Token: SeImpersonatePrivilege 2344 LBB.exe Token: SeIncBasePriorityPrivilege 2344 LBB.exe Token: SeIncreaseQuotaPrivilege 2344 LBB.exe Token: 33 2344 LBB.exe Token: SeManageVolumePrivilege 2344 LBB.exe Token: SeProfSingleProcessPrivilege 2344 LBB.exe Token: SeRestorePrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSystemProfilePrivilege 2344 LBB.exe Token: SeTakeOwnershipPrivilege 2344 LBB.exe Token: SeShutdownPrivilege 2344 LBB.exe Token: SeDebugPrivilege 2344 LBB.exe Token: SeBackupPrivilege 580 vssvc.exe Token: SeRestorePrivilege 580 vssvc.exe Token: SeAuditPrivilege 580 vssvc.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeSecurityPrivilege 2344 LBB.exe Token: SeBackupPrivilege 2344 LBB.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2344 wrote to memory of 1788 2344 LBB.exe 35 PID 2344 wrote to memory of 1788 2344 LBB.exe 35 PID 2344 wrote to memory of 1788 2344 LBB.exe 35 PID 2344 wrote to memory of 1788 2344 LBB.exe 35 PID 2344 wrote to memory of 1788 2344 LBB.exe 35 PID 1788 wrote to memory of 2528 1788 DB51.tmp 36 PID 1788 wrote to memory of 2528 1788 DB51.tmp 36 PID 1788 wrote to memory of 2528 1788 DB51.tmp 36 PID 1788 wrote to memory of 2528 1788 DB51.tmp 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LBB.exe"C:\Users\Admin\AppData\Local\Temp\LBB.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\ProgramData\DB51.tmp"C:\ProgramData\DB51.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB51.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2528
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5d9351fdda3b27f2981eff0841fea5de6
SHA1c3c8f2792c4d8ce491ca9e023e04bb6253594d85
SHA256c9f89ff3fcd522285046a918ea460d43649d5a7bc2fb778db9b7f25a14fa7c99
SHA5123a5f093bd5d1c05882a3d05ea8b7035374c81c379fb8d61ca1611d8bbbe2ba3b3fe345a699bb5ad9d8078626193668b3b5c259ba113de73c6e7159e0dc9d7faf
-
Filesize
160KB
MD588e4dafad354791c4675022aab0d3459
SHA157d946ffd384a86b2ef6d6a2ced159a36972e75b
SHA256ec4e68c8c09420bd93aa06485dde930d48411b189e14b0579f39e002dd925dd5
SHA51254184235933b0b2c12f9cb9d714d3755dd9fabf6e8153749662757a643c50c8d3e896a8d922e46f2fd6ba82f5f91c73e3325ce68bef82a71b63bf915d6256d87
-
Filesize
6KB
MD5ccc27d1a265e0b9def5571b4b5c1dea5
SHA13593f5e0240a60243fb1499525a404702c1d1a7c
SHA2564a32c33717b1d4b4f76a5a545be7b4f51277ed1dee4381e52ce526d3774f53ad
SHA512ed42c6e88a9e6ecf3845e23e999c48ec0eee3b6b3b3de9b224bc3a5c5d5e370c3bc86f3463ea888d78c6cd806b3a05093bed82655dff3c00cbc3da73e906381f
-
Filesize
129B
MD5d4dfb87dbdeef12c62446658e41906b0
SHA1b870a7256f50a36abe19ab4a612e46c1fb93acce
SHA256ebd1dd5416aa2b57bca2500cd3ffa921f62ddf3cd3b7187272fc148e48ec2ff6
SHA512b6942eca9f1fd6af78b6085d41b076eb851bfcb04b2ce606154f25f4494eb065f795ad09141fc65f0e60444509916d6cf940af900b29d8e060fc7bd5549379ff
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf