Overview
overview
10Static
static
10329D6F9DDB...I_I386
windows10-ltsc 2021-x64
1329D6F9DDB...XI_X64
windows10-ltsc 2021-x64
1LBB.exe
windows10-ltsc 2021-x64
9LBB_PS1.ps1
windows10-ltsc 2021-x64
9LBB_PS1_ob...ed.ps1
windows10-ltsc 2021-x64
3LBB_PS1_pass.ps1
windows10-ltsc 2021-x64
10LBB_Reflec...in.dll
windows10-ltsc 2021-x64
7LBB_Rundll32.dll
windows10-ltsc 2021-x64
3LBB_Rundll32_pass.dll
windows10-ltsc 2021-x64
10LBB_pass.exe
windows10-ltsc 2021-x64
10FC8E43EC21...32.exe
windows10-ltsc 2021-x64
7FC8E43EC21...64.exe
windows10-ltsc 2021-x64
7Analysis
-
max time kernel
99s -
max time network
141s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20-12-2024 00:56
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
LBB_PS1.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
LBB_PS1_obfuscated.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral6
Sample
LBB_PS1_pass.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
LBB_Rundll32.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
LBB_Rundll32_pass.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral10
Sample
LBB_pass.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
LBB.exe
-
Size
160KB
-
MD5
d1986caa455ffa11b46341e837777e52
-
SHA1
c045c2be676ebba04d7403f3636c7adb685a4011
-
SHA256
e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407
-
SHA512
ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359
-
SSDEEP
3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+
Malware Config
Signatures
-
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation 7EA6.tmp -
Deletes itself 1 IoCs
pid Process 1076 7EA6.tmp -
Executes dropped EXE 1 IoCs
pid Process 1076 7EA6.tmp -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3506525125-3566313221-3651816328-1000\desktop.ini LBB.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3506525125-3566313221-3651816328-1000\desktop.ini LBB.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kF0wnCN24.bmp" LBB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kF0wnCN24.bmp" LBB.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LBB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7EA6.tmp -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\Desktop LBB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\Desktop\WallpaperStyle = "10" LBB.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 LBB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" LBB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon LBB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 LBB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" LBB.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe 4932 LBB.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp 1076 7EA6.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeDebugPrivilege 4932 LBB.exe Token: 36 4932 LBB.exe Token: SeImpersonatePrivilege 4932 LBB.exe Token: SeIncBasePriorityPrivilege 4932 LBB.exe Token: SeIncreaseQuotaPrivilege 4932 LBB.exe Token: 33 4932 LBB.exe Token: SeManageVolumePrivilege 4932 LBB.exe Token: SeProfSingleProcessPrivilege 4932 LBB.exe Token: SeRestorePrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSystemProfilePrivilege 4932 LBB.exe Token: SeTakeOwnershipPrivilege 4932 LBB.exe Token: SeShutdownPrivilege 4932 LBB.exe Token: SeDebugPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4684 vssvc.exe Token: SeRestorePrivilege 4684 vssvc.exe Token: SeAuditPrivilege 4684 vssvc.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeSecurityPrivilege 4932 LBB.exe Token: SeBackupPrivilege 4932 LBB.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4932 wrote to memory of 1076 4932 LBB.exe 91 PID 4932 wrote to memory of 1076 4932 LBB.exe 91 PID 4932 wrote to memory of 1076 4932 LBB.exe 91 PID 4932 wrote to memory of 1076 4932 LBB.exe 91 PID 1076 wrote to memory of 556 1076 7EA6.tmp 95 PID 1076 wrote to memory of 556 1076 7EA6.tmp 95 PID 1076 wrote to memory of 556 1076 7EA6.tmp 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LBB.exe"C:\Users\Admin\AppData\Local\Temp\LBB.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\ProgramData\7EA6.tmp"C:\ProgramData\7EA6.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7EA6.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:556
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD57cb83598a1138bf97af6605aece0b4ec
SHA1cea5422ae73d62f0bab7116e21960f39d734647d
SHA256cf21d11f5a6be49e2e16dc0b0b7426d6fb9ff97afdfe45acf680588307eb28ef
SHA51256ab6f1ccd353d6375c4de616b8c9950e4ebf7cb4a813321c0d5044e21b7fab9f3592a77a0671751c51f946a551129f3caa6db632ab4e17720c10382aafbd4ec
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
160KB
MD54be3cb948027acc35d9bc04f2799c3ac
SHA1019b355291e30be8a688f405587eb64b8124e9b6
SHA2562e2bd88131b695cb18b9d824e72c34c983ce4d9a41fc65373edf744d923202a4
SHA512c346992085bb021f3c0dfeccb25766ec6b5b54a7ee6d84f77563489cc1b04bb4b3b84178e98f5eb75202b87cabc91bab8ca820d06c7ddebe9b8e0b53c750f2c4
-
Filesize
129B
MD54fa563e64cff48d425258abcd87eb2db
SHA19882bb18f7f54651944fef9cafdc2130a6c25ece
SHA2564b5f91a5dbd70e975478db2d53eac53e4288e715971e677ffc5e9980ef2c77e4
SHA512757183ad0376a8cb33dbc763813e6665a5ef0ee85a7326ab048661e4cc2bb258ec480ea0fda1e88d400e7d85f681e6917bf47cea3521d14f0a0e01a58cdf102b
-
Filesize
6KB
MD5046c0342da8a874999416c79aef0f3d9
SHA1ffc642c8ccbcadf4e9b1060d41179c2d6a2ea029
SHA256497c8379fbde7d28ba866a0c43ddf96a54ee8d17d57d5e3ac1083246b36d7920
SHA5120d46820af073d3707bd04771956200e34e24eba997d71bd2d4d8848c15e6dd2dab2d016d14d29b1e7e89f2c938bb93ad6365d38a0137ea3135f380d2c4913fd8