General

  • Target

    Builds.7z

  • Size

    1.8MB

  • Sample

    241220-bav3esvrhp

  • MD5

    484933f81970182e04f190efe2527da1

  • SHA1

    72f0810a0ab7f1398ba9f0b0916ee97115e79cc4

  • SHA256

    3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

  • SHA512

    d9d5d96e13201de976d23783e077bb1f95af3946a44bd1347d637893e471eefed5d9b0de4a7d84d8d2040decf8cea4e3de83555b2424e58ebbc1c7eb4881e37a

  • SSDEEP

    49152:bor7D7eZFTWD/gjKZ4FhydMzOoSGSW7TeXY:UfeZFT48HSCilTWB

Malware Config

Targets

    • Target

      329D6F9DDBF138D4/locker_ESXI_I386

    • Size

      108KB

    • MD5

      a720e32658193a7f76be72363fbc919d

    • SHA1

      9b319e460a7000efd92e91a6f1072c4ee211dcda

    • SHA256

      ab8c2aca725df02bfdbfa0f493575e0dacd4467b2d0cd90c9a6acb66cb14d590

    • SHA512

      5f98f776e82c335f3a16deed12d654e7edb42236511c6eb0484fa0957ee7aa839ac85974864183e0be53333a558856ef39a1181839490b9f111a192dc71c2ff7

    • SSDEEP

      3072:5twJNAs5z2NS/P8BRlzWy5BGOiXj0hvYlx1DtqR5YeC:LwJpagWI9OiXQYlx1DtqAe

    Score
    1/10
    • Target

      329D6F9DDBF138D4/locker_ESXI_X64

    • Size

      93KB

    • MD5

      b76b092f5188ccc8a046ffb4659c3641

    • SHA1

      82e19d8b7bc5379528feb9c3a335d70d79358229

    • SHA256

      dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55

    • SHA512

      bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f

    • SSDEEP

      1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya

    Score
    1/10
    • Target

      LBB.exe

    • Size

      160KB

    • MD5

      d1986caa455ffa11b46341e837777e52

    • SHA1

      c045c2be676ebba04d7403f3636c7adb685a4011

    • SHA256

      e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407

    • SHA512

      ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359

    • SSDEEP

      3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+

    • Renames multiple (139) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_PS1.ps1

    • Size

      466KB

    • MD5

      17a7cd1ead2d35ed5d69c71d4fd7386d

    • SHA1

      734400d4444b88fe3848c80e3dba2ad9a5155c56

    • SHA256

      20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9

    • SHA512

      7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828

    • SSDEEP

      1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA

    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_PS1_obfuscated.ps1

    • Size

      274B

    • MD5

      a8e97fe5a7115e42759d67f7e4d88b0d

    • SHA1

      7a4dce9165f34ca44e79b06f3a07281f6cf08823

    • SHA256

      d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387

    • SHA512

      77126af7f207d4ab854e3293936c73591289ca97211823513941bdae60b9da48fc3b829e2819ef1230f86cb8761eab37f6dca61281b2dfc7209ce471af68422b

    Score
    3/10
    • Target

      LBB_PS1_pass.ps1

    • Size

      590KB

    • MD5

      d96d2bcf13d55740f3bb64d45d2db94d

    • SHA1

      4ded4b1d4866a4adf534f5a4eb66386465fe3120

    • SHA256

      82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908

    • SHA512

      cb1fbe8f36630915796d864c5a044177ea4ad881281ec454f932232fff99ce0524fb63becd96581a23cfe12bc455d55b613aaa389aa0a68fac97748400f473bd

    • SSDEEP

      1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJh:QA

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      LBB_ReflectiveDll_DllMain.dll

    • Size

      113KB

    • MD5

      ab5bdca69285d4838af12117c910bfde

    • SHA1

      208060cf988f1702124504bae0c6a4addbeb6db3

    • SHA256

      5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd

    • SHA512

      33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547

    • SSDEEP

      3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_Rundll32.dll

    • Size

      158KB

    • MD5

      0682f7cfceb51d4a6a213b9fe4159ad2

    • SHA1

      777833fdaf0c1e5d03dde300dba3947a9b65c656

    • SHA256

      00aa54bfab3963a2c006058e48cde42e299811f9b85acbc69406c5bfb331f789

    • SHA512

      72d79387ca0d9579d7a7bb7c6c729048bd1321fd07653cb7cbc9bedcc217fd18414b02b46f83843b3f90d0841fc61f24f0ef19700326d8a8aaf6366a00bc5113

    • SSDEEP

      3072:thKVNA/3U+Z15B5RPu+zYNkQA1Izqa26odDWtiSCC8lvdLW:thoyUyX5RPu+zY6+Wa26iDWsSCC8lvI

    Score
    3/10
    • Target

      LBB_Rundll32_pass.dll

    • Size

      154KB

    • MD5

      b51e42d419218e70b0ae216c3ac57784

    • SHA1

      f3023c627d1dce8d5ff4e6733af420df350fdda7

    • SHA256

      a98fb2671ae63d179c1cf39d163a4b3dbf769c9951a0ebad5d4c76244752253e

    • SHA512

      96fa388526984f3976ddb5f5376af88200e3d85bc41754556f9b00be32c81332d52aeb5b1e0387ce83be220f34199a88379aa9c90f679eb17ac10f9cf8714f37

    • SSDEEP

      3072:sUM/b6nriEhhyj26gWNOm18JcdwgqYUkSvVDjogUliww56T9tEtc:sUsmr7yX3Um18JcdwgqYUkCRjorqGTP

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      LBB_pass.exe

    • Size

      156KB

    • MD5

      0e38243dcb91851f0646140a16d6832d

    • SHA1

      d5a11399206c54ef1bd11945a5f6a0d721c4a6c9

    • SHA256

      635e9ca3baae7e32225f05d16159e339a297a4c1b749e5a8e81ffc8df3c5c37c

    • SHA512

      8198cf16b815c697e94b8b19b7555191189d6eba2e0bc2b5690277244dcf7da74907d95d8a10bb9bf43a23ae94e5fb57d062c00f947fe8558c9ef633bb066b0e

    • SSDEEP

      3072:iMvRBMY5u+t3YSs1C439/FgfDcTDnHNszfp0QoHkIgep3i8Skb4wE4Ab:ikBS+5YSsdLTH6zfQEupRUb

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      FC8E43EC21BE9047/lbg32.exe

    • Size

      60KB

    • MD5

      c5cc3c5cef6b382568a54f579b2965ff

    • SHA1

      e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b

    • SHA256

      48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5

    • SHA512

      74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb

    • SSDEEP

      1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      FC8E43EC21BE9047/lbg64.exe

    • Size

      49KB

    • MD5

      8ff61e4156c10b085e0c2233f24e8501

    • SHA1

      69d50a8efd73c619aa36113ec04368db83d9b331

    • SHA256

      3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a

    • SHA512

      dbde74b89d498d708215ddfdc9a2a38cb27be931c9fe2d5965aba3c31482a0efbe39913ed17eabe5eae3b5efc9cb369589784e7d9ce5b2e89505c10406038249

    • SSDEEP

      768:9pZt6fz03gUYxTSGCoTrxTjA+xqCkEiAOPZAzEZoo6Czcit6OjeB6:jpQRNSGCo64OxAgZUCcicvB6

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks