Overview
overview
10Static
static
10329D6F9DDB...I_I386
windows10-ltsc 2021-x64
1329D6F9DDB...XI_X64
windows10-ltsc 2021-x64
1LBB.exe
windows10-ltsc 2021-x64
9LBB_PS1.ps1
windows10-ltsc 2021-x64
9LBB_PS1_ob...ed.ps1
windows10-ltsc 2021-x64
3LBB_PS1_pass.ps1
windows10-ltsc 2021-x64
10LBB_Reflec...in.dll
windows10-ltsc 2021-x64
7LBB_Rundll32.dll
windows10-ltsc 2021-x64
3LBB_Rundll32_pass.dll
windows10-ltsc 2021-x64
10LBB_pass.exe
windows10-ltsc 2021-x64
10FC8E43EC21...32.exe
windows10-ltsc 2021-x64
7FC8E43EC21...64.exe
windows10-ltsc 2021-x64
7General
-
Target
Builds.7z
-
Size
1.8MB
-
Sample
241220-bav3esvrhp
-
MD5
484933f81970182e04f190efe2527da1
-
SHA1
72f0810a0ab7f1398ba9f0b0916ee97115e79cc4
-
SHA256
3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6
-
SHA512
d9d5d96e13201de976d23783e077bb1f95af3946a44bd1347d637893e471eefed5d9b0de4a7d84d8d2040decf8cea4e3de83555b2424e58ebbc1c7eb4881e37a
-
SSDEEP
49152:bor7D7eZFTWD/gjKZ4FhydMzOoSGSW7TeXY:UfeZFT48HSCilTWB
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
LBB_PS1.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
LBB_PS1_obfuscated.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral6
Sample
LBB_PS1_pass.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
LBB_Rundll32.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
LBB_Rundll32_pass.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral10
Sample
LBB_pass.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10ltsc2021-20241211-en
Malware Config
Targets
-
-
Target
329D6F9DDBF138D4/locker_ESXI_I386
-
Size
108KB
-
MD5
a720e32658193a7f76be72363fbc919d
-
SHA1
9b319e460a7000efd92e91a6f1072c4ee211dcda
-
SHA256
ab8c2aca725df02bfdbfa0f493575e0dacd4467b2d0cd90c9a6acb66cb14d590
-
SHA512
5f98f776e82c335f3a16deed12d654e7edb42236511c6eb0484fa0957ee7aa839ac85974864183e0be53333a558856ef39a1181839490b9f111a192dc71c2ff7
-
SSDEEP
3072:5twJNAs5z2NS/P8BRlzWy5BGOiXj0hvYlx1DtqR5YeC:LwJpagWI9OiXQYlx1DtqAe
Score1/10 -
-
-
Target
329D6F9DDBF138D4/locker_ESXI_X64
-
Size
93KB
-
MD5
b76b092f5188ccc8a046ffb4659c3641
-
SHA1
82e19d8b7bc5379528feb9c3a335d70d79358229
-
SHA256
dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
-
SHA512
bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
-
SSDEEP
1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya
Score1/10 -
-
-
Target
LBB.exe
-
Size
160KB
-
MD5
d1986caa455ffa11b46341e837777e52
-
SHA1
c045c2be676ebba04d7403f3636c7adb685a4011
-
SHA256
e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407
-
SHA512
ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359
-
SSDEEP
3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+
Score9/10-
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
LBB_PS1.ps1
-
Size
466KB
-
MD5
17a7cd1ead2d35ed5d69c71d4fd7386d
-
SHA1
734400d4444b88fe3848c80e3dba2ad9a5155c56
-
SHA256
20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
-
SHA512
7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA
Score9/10-
Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
LBB_PS1_obfuscated.ps1
-
Size
274B
-
MD5
a8e97fe5a7115e42759d67f7e4d88b0d
-
SHA1
7a4dce9165f34ca44e79b06f3a07281f6cf08823
-
SHA256
d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387
-
SHA512
77126af7f207d4ab854e3293936c73591289ca97211823513941bdae60b9da48fc3b829e2819ef1230f86cb8761eab37f6dca61281b2dfc7209ce471af68422b
Score3/10 -
-
-
Target
LBB_PS1_pass.ps1
-
Size
590KB
-
MD5
d96d2bcf13d55740f3bb64d45d2db94d
-
SHA1
4ded4b1d4866a4adf534f5a4eb66386465fe3120
-
SHA256
82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908
-
SHA512
cb1fbe8f36630915796d864c5a044177ea4ad881281ec454f932232fff99ce0524fb63becd96581a23cfe12bc455d55b613aaa389aa0a68fac97748400f473bd
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJh:QA
Score10/10-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
-
-
Target
LBB_ReflectiveDll_DllMain.dll
-
Size
113KB
-
MD5
ab5bdca69285d4838af12117c910bfde
-
SHA1
208060cf988f1702124504bae0c6a4addbeb6db3
-
SHA256
5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd
-
SHA512
33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547
-
SSDEEP
3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
LBB_Rundll32.dll
-
Size
158KB
-
MD5
0682f7cfceb51d4a6a213b9fe4159ad2
-
SHA1
777833fdaf0c1e5d03dde300dba3947a9b65c656
-
SHA256
00aa54bfab3963a2c006058e48cde42e299811f9b85acbc69406c5bfb331f789
-
SHA512
72d79387ca0d9579d7a7bb7c6c729048bd1321fd07653cb7cbc9bedcc217fd18414b02b46f83843b3f90d0841fc61f24f0ef19700326d8a8aaf6366a00bc5113
-
SSDEEP
3072:thKVNA/3U+Z15B5RPu+zYNkQA1Izqa26odDWtiSCC8lvdLW:thoyUyX5RPu+zY6+Wa26iDWsSCC8lvI
Score3/10 -
-
-
Target
LBB_Rundll32_pass.dll
-
Size
154KB
-
MD5
b51e42d419218e70b0ae216c3ac57784
-
SHA1
f3023c627d1dce8d5ff4e6733af420df350fdda7
-
SHA256
a98fb2671ae63d179c1cf39d163a4b3dbf769c9951a0ebad5d4c76244752253e
-
SHA512
96fa388526984f3976ddb5f5376af88200e3d85bc41754556f9b00be32c81332d52aeb5b1e0387ce83be220f34199a88379aa9c90f679eb17ac10f9cf8714f37
-
SSDEEP
3072:sUM/b6nriEhhyj26gWNOm18JcdwgqYUkSvVDjogUliww56T9tEtc:sUsmr7yX3Um18JcdwgqYUkCRjorqGTP
Score10/10-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
-
-
Target
LBB_pass.exe
-
Size
156KB
-
MD5
0e38243dcb91851f0646140a16d6832d
-
SHA1
d5a11399206c54ef1bd11945a5f6a0d721c4a6c9
-
SHA256
635e9ca3baae7e32225f05d16159e339a297a4c1b749e5a8e81ffc8df3c5c37c
-
SHA512
8198cf16b815c697e94b8b19b7555191189d6eba2e0bc2b5690277244dcf7da74907d95d8a10bb9bf43a23ae94e5fb57d062c00f947fe8558c9ef633bb066b0e
-
SSDEEP
3072:iMvRBMY5u+t3YSs1C439/FgfDcTDnHNszfp0QoHkIgep3i8Skb4wE4Ab:ikBS+5YSsdLTH6zfQEupRUb
Score10/10-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
-
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Score7/10-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
FC8E43EC21BE9047/lbg64.exe
-
Size
49KB
-
MD5
8ff61e4156c10b085e0c2233f24e8501
-
SHA1
69d50a8efd73c619aa36113ec04368db83d9b331
-
SHA256
3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a
-
SHA512
dbde74b89d498d708215ddfdc9a2a38cb27be931c9fe2d5965aba3c31482a0efbe39913ed17eabe5eae3b5efc9cb369589784e7d9ce5b2e89505c10406038249
-
SSDEEP
768:9pZt6fz03gUYxTSGCoTrxTjA+xqCkEiAOPZAzEZoo6Czcit6OjeB6:jpQRNSGCo64OxAgZUCcicvB6
Score7/10-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1