Overview
overview
10Static
static
10329D6F9DDB...I_I386
windows10-ltsc 2021-x64
1329D6F9DDB...XI_X64
windows10-ltsc 2021-x64
1LBB.exe
windows10-ltsc 2021-x64
9LBB_PS1.ps1
windows10-ltsc 2021-x64
9LBB_PS1_ob...ed.ps1
windows10-ltsc 2021-x64
3LBB_PS1_pass.ps1
windows10-ltsc 2021-x64
10LBB_Reflec...in.dll
windows10-ltsc 2021-x64
7LBB_Rundll32.dll
windows10-ltsc 2021-x64
3LBB_Rundll32_pass.dll
windows10-ltsc 2021-x64
10LBB_pass.exe
windows10-ltsc 2021-x64
10FC8E43EC21...32.exe
windows10-ltsc 2021-x64
7FC8E43EC21...64.exe
windows10-ltsc 2021-x64
7Analysis
-
max time kernel
38s -
max time network
38s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20-12-2024 00:56
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
LBB_PS1.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
LBB_PS1_obfuscated.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral6
Sample
LBB_PS1_pass.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
LBB_Rundll32.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
LBB_Rundll32_pass.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral10
Sample
LBB_pass.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
LBB_PS1.ps1
-
Size
466KB
-
MD5
17a7cd1ead2d35ed5d69c71d4fd7386d
-
SHA1
734400d4444b88fe3848c80e3dba2ad9a5155c56
-
SHA256
20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
-
SHA512
7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA
Malware Config
Signatures
-
Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 4312 9887.tmp -
Executes dropped EXE 1 IoCs
pid Process 4312 9887.tmp -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kF0wnCN24.bmp" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kF0wnCN24.bmp" powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp -
pid Process 64 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9887.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 powershell.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2348 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 64 powershell.exe 64 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp 4312 9887.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 64 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: 36 2580 powershell.exe Token: SeImpersonatePrivilege 2580 powershell.exe Token: SeIncBasePriorityPrivilege 2580 powershell.exe Token: SeIncreaseQuotaPrivilege 2580 powershell.exe Token: 33 2580 powershell.exe Token: SeManageVolumePrivilege 2580 powershell.exe Token: SeProfSingleProcessPrivilege 2580 powershell.exe Token: SeRestorePrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSystemProfilePrivilege 2580 powershell.exe Token: SeTakeOwnershipPrivilege 2580 powershell.exe Token: SeShutdownPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeSecurityPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe Token: SeBackupPrivilege 2580 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 64 wrote to memory of 2580 64 powershell.exe 82 PID 64 wrote to memory of 2580 64 powershell.exe 82 PID 64 wrote to memory of 2580 64 powershell.exe 82 PID 2580 wrote to memory of 4312 2580 powershell.exe 94 PID 2580 wrote to memory of 4312 2580 powershell.exe 94 PID 2580 wrote to memory of 4312 2580 powershell.exe 94 PID 2580 wrote to memory of 4312 2580 powershell.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\LBB_PS1.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\LBB_PS1.ps12⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\ProgramData\9887.tmp"C:\ProgramData\9887.tmp"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4312
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3060
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kF0wnCN24.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
1KB
MD5ab3bde1d495878b0d54bbf552fbd3b0d
SHA1695293de04b1f84f2c29ae536dcf28d49b751425
SHA2567deba83538bbb06cddd80ffcd9d42960a8690f0ec54fe625e0757c0803ccbb08
SHA5122f5f5491ef90a97950e0471c862fe47c08472ada828bcfd1dc9b40c063de3ad3171158bbe792e4bed553dd7188964750125da764e2c87581e48179eb1f8ead99
-
Filesize
466KB
MD53b699ed7c822d70afcb98c3e654aec90
SHA12ec85ef8256c4a63071f621befd9028e8bbc16e6
SHA2561532756962e30b88ac254ea838ae7f62e1e639ef3d5173dd24cfa68bbb118256
SHA51211f264f89de466448435667f6e391054d1f38e4d7599ac1d396f49004b48fe7b489394aac7531d8eb7d4bd9a7351c0b41807426138a5b7257b5acc49cbfa1ba3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5b97a8c710973a9b18377f57a327f9d15
SHA1affbe47fc2fc9a1eb2bf23da373ca2699505f5a7
SHA256905247c03be9ba4199024e02f2df31c8b318d12a045bb5a9942bcf392d7a82be
SHA5125873149b2c261fb16de49c523bcfbe3e919bee65f717b657cbde658c07933f737c0f4f29739a2909577c7071561add3b9f19256b1a3eb7f8a4e7b74fdad3df08