Overview
overview
10Static
static
10329D6F9DDB...I_I386
windows10-ltsc 2021-x64
1329D6F9DDB...XI_X64
windows10-ltsc 2021-x64
1LBB.exe
windows10-ltsc 2021-x64
9LBB_PS1.ps1
windows10-ltsc 2021-x64
9LBB_PS1_ob...ed.ps1
windows10-ltsc 2021-x64
3LBB_PS1_pass.ps1
windows10-ltsc 2021-x64
10LBB_Reflec...in.dll
windows10-ltsc 2021-x64
7LBB_Rundll32.dll
windows10-ltsc 2021-x64
3LBB_Rundll32_pass.dll
windows10-ltsc 2021-x64
10LBB_pass.exe
windows10-ltsc 2021-x64
10FC8E43EC21...32.exe
windows10-ltsc 2021-x64
7FC8E43EC21...64.exe
windows10-ltsc 2021-x64
7Analysis
-
max time kernel
24s -
max time network
112s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20-12-2024 00:56
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
LBB_PS1.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
LBB_PS1_obfuscated.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral6
Sample
LBB_PS1_pass.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
LBB_Rundll32.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
LBB_Rundll32_pass.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral10
Sample
LBB_pass.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 3436 lbg32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\X: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\T: lbg32.exe File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\Y: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\Z: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt.b4e453585e80 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.5cb2ed5042a8 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.6acda41e18e6 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.b265d426508e lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.09858f6f7547 lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.81be3c151fcd lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling.ort.b341f1615389 lbg32.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp.07888c7b6533 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.eb7f97797721 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL.ab73db494f61 lbg32.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.f28978ae90c6 lbg32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\ImportUpdate.mpeg2.e42bcc989ad0 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.4cc986203e88 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.2e604dc2cc1a lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.7cfb84f0e2b8 lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp.47d591d52f9d lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.2297b672403a lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.2c416ec0ce18 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.3285b466500e lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.9e6df032047a lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.3c0e31506218 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.27c2e6cfc517 lbg32.exe File created C:\Program Files\VideoLAN\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.dd5d8353411b lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.47e7a3f5ebbd lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.29c9e3c7dd2f lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo.9c63fc300268 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.b2b30222308a lbg32.exe File created C:\Program Files\Java\jre-1.8\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.42fabbd2e08a lbg32.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.9cac333006f8 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\am\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF.e66782968c5e lbg32.exe File created C:\Program Files\Common Files\microsoft shared\Triedit\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.f8976cbca6f4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.51782acdd3a5 lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.423b7a52608a lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.1a968f9a9852 lbg32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml.67beda777daf lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp.82c0416e60b6 lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt.9a861ffaf8b2 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.972eba070dff lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.1d829c718329 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.1ae5fcbeb8f6 lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.c19654d5af1d lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.14bcab888e60 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.9acb520a08b2 lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.89f17b272d5f lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.09d9d3e79dcf lbg32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt.c337f7d1ef19 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTCORSVA.TTF.5e3a67564c9e lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF.abac04dfd9e7 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.25795fbbb9f3 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.04d9de98e6d0 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.0e7578a294da lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo.e939d387fd2f lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jce.jar.1c445bf08628 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.5ab2eb5a5892 lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 916 WMIC.exe 916 WMIC.exe 916 WMIC.exe 916 WMIC.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3436 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3436 lbg32.exe Token: SeBackupPrivilege 1160 vssvc.exe Token: SeRestorePrivilege 1160 vssvc.exe Token: SeAuditPrivilege 1160 vssvc.exe Token: SeIncreaseQuotaPrivilege 916 WMIC.exe Token: SeSecurityPrivilege 916 WMIC.exe Token: SeTakeOwnershipPrivilege 916 WMIC.exe Token: SeLoadDriverPrivilege 916 WMIC.exe Token: SeSystemProfilePrivilege 916 WMIC.exe Token: SeSystemtimePrivilege 916 WMIC.exe Token: SeProfSingleProcessPrivilege 916 WMIC.exe Token: SeIncBasePriorityPrivilege 916 WMIC.exe Token: SeCreatePagefilePrivilege 916 WMIC.exe Token: SeBackupPrivilege 916 WMIC.exe Token: SeRestorePrivilege 916 WMIC.exe Token: SeShutdownPrivilege 916 WMIC.exe Token: SeDebugPrivilege 916 WMIC.exe Token: SeSystemEnvironmentPrivilege 916 WMIC.exe Token: SeRemoteShutdownPrivilege 916 WMIC.exe Token: SeUndockPrivilege 916 WMIC.exe Token: SeManageVolumePrivilege 916 WMIC.exe Token: 33 916 WMIC.exe Token: 34 916 WMIC.exe Token: 35 916 WMIC.exe Token: 36 916 WMIC.exe Token: SeIncreaseQuotaPrivilege 916 WMIC.exe Token: SeSecurityPrivilege 916 WMIC.exe Token: SeTakeOwnershipPrivilege 916 WMIC.exe Token: SeLoadDriverPrivilege 916 WMIC.exe Token: SeSystemProfilePrivilege 916 WMIC.exe Token: SeSystemtimePrivilege 916 WMIC.exe Token: SeProfSingleProcessPrivilege 916 WMIC.exe Token: SeIncBasePriorityPrivilege 916 WMIC.exe Token: SeCreatePagefilePrivilege 916 WMIC.exe Token: SeBackupPrivilege 916 WMIC.exe Token: SeRestorePrivilege 916 WMIC.exe Token: SeShutdownPrivilege 916 WMIC.exe Token: SeDebugPrivilege 916 WMIC.exe Token: SeSystemEnvironmentPrivilege 916 WMIC.exe Token: SeRemoteShutdownPrivilege 916 WMIC.exe Token: SeUndockPrivilege 916 WMIC.exe Token: SeManageVolumePrivilege 916 WMIC.exe Token: 33 916 WMIC.exe Token: 34 916 WMIC.exe Token: 35 916 WMIC.exe Token: 36 916 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3436 wrote to memory of 1612 3436 lbg32.exe 84 PID 3436 wrote to memory of 1612 3436 lbg32.exe 84 PID 1612 wrote to memory of 916 1612 cmd.exe 87 PID 1612 wrote to memory of 916 1612 cmd.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4DD32EF-43A5-44F6-A678-A1832C7F15A2}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4DD32EF-43A5-44F6-A678-A1832C7F15A2}'" delete3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4