Analysis

  • max time kernel
    99s
  • max time network
    141s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20-12-2024 00:56

General

  • Target

    LBB.exe

  • Size

    160KB

  • MD5

    d1986caa455ffa11b46341e837777e52

  • SHA1

    c045c2be676ebba04d7403f3636c7adb685a4011

  • SHA256

    e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407

  • SHA512

    ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359

  • SSDEEP

    3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+

Malware Config

Signatures

  • Renames multiple (139) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LBB.exe
    "C:\Users\Admin\AppData\Local\Temp\LBB.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\ProgramData\7EA6.tmp
      "C:\ProgramData\7EA6.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7EA6.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3506525125-3566313221-3651816328-1000\UUUUUUUUUUU

    Filesize

    129B

    MD5

    7cb83598a1138bf97af6605aece0b4ec

    SHA1

    cea5422ae73d62f0bab7116e21960f39d734647d

    SHA256

    cf21d11f5a6be49e2e16dc0b0b7426d6fb9ff97afdfe45acf680588307eb28ef

    SHA512

    56ab6f1ccd353d6375c4de616b8c9950e4ebf7cb4a813321c0d5044e21b7fab9f3592a77a0671751c51f946a551129f3caa6db632ab4e17720c10382aafbd4ec

  • C:\ProgramData\7EA6.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDD

    Filesize

    160KB

    MD5

    4be3cb948027acc35d9bc04f2799c3ac

    SHA1

    019b355291e30be8a688f405587eb64b8124e9b6

    SHA256

    2e2bd88131b695cb18b9d824e72c34c983ce4d9a41fc65373edf744d923202a4

    SHA512

    c346992085bb021f3c0dfeccb25766ec6b5b54a7ee6d84f77563489cc1b04bb4b3b84178e98f5eb75202b87cabc91bab8ca820d06c7ddebe9b8e0b53c750f2c4

  • F:\$RECYCLE.BIN\S-1-5-21-3506525125-3566313221-3651816328-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    4fa563e64cff48d425258abcd87eb2db

    SHA1

    9882bb18f7f54651944fef9cafdc2130a6c25ece

    SHA256

    4b5f91a5dbd70e975478db2d53eac53e4288e715971e677ffc5e9980ef2c77e4

    SHA512

    757183ad0376a8cb33dbc763813e6665a5ef0ee85a7326ab048661e4cc2bb258ec480ea0fda1e88d400e7d85f681e6917bf47cea3521d14f0a0e01a58cdf102b

  • F:\kF0wnCN24.README.txt

    Filesize

    6KB

    MD5

    046c0342da8a874999416c79aef0f3d9

    SHA1

    ffc642c8ccbcadf4e9b1060d41179c2d6a2ea029

    SHA256

    497c8379fbde7d28ba866a0c43ddf96a54ee8d17d57d5e3ac1083246b36d7920

    SHA512

    0d46820af073d3707bd04771956200e34e24eba997d71bd2d4d8848c15e6dd2dab2d016d14d29b1e7e89f2c938bb93ad6365d38a0137ea3135f380d2c4913fd8

  • memory/1076-269-0x0000000002380000-0x0000000002390000-memory.dmp

    Filesize

    64KB

  • memory/1076-268-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

  • memory/1076-273-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

  • memory/1076-272-0x0000000002380000-0x0000000002390000-memory.dmp

    Filesize

    64KB

  • memory/1076-270-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

  • memory/1076-302-0x0000000002380000-0x0000000002390000-memory.dmp

    Filesize

    64KB

  • memory/1076-305-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

  • memory/1076-306-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

  • memory/4932-0-0x0000000002E20000-0x0000000002E30000-memory.dmp

    Filesize

    64KB

  • memory/4932-271-0x0000000002E20000-0x0000000002E30000-memory.dmp

    Filesize

    64KB

  • memory/4932-2-0x0000000002E20000-0x0000000002E30000-memory.dmp

    Filesize

    64KB

  • memory/4932-1-0x0000000002E20000-0x0000000002E30000-memory.dmp

    Filesize

    64KB