Overview
overview
10Static
static
10329D6F9DDB...I_I386
windows10-ltsc 2021-x64
1329D6F9DDB...XI_X64
windows10-ltsc 2021-x64
1LBB.exe
windows10-ltsc 2021-x64
9LBB_PS1.ps1
windows10-ltsc 2021-x64
9LBB_PS1_ob...ed.ps1
windows10-ltsc 2021-x64
3LBB_PS1_pass.ps1
windows10-ltsc 2021-x64
10LBB_Reflec...in.dll
windows10-ltsc 2021-x64
7LBB_Rundll32.dll
windows10-ltsc 2021-x64
3LBB_Rundll32_pass.dll
windows10-ltsc 2021-x64
10LBB_pass.exe
windows10-ltsc 2021-x64
10FC8E43EC21...32.exe
windows10-ltsc 2021-x64
7FC8E43EC21...64.exe
windows10-ltsc 2021-x64
7Analysis
-
max time kernel
100s -
max time network
139s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20-12-2024 00:56
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
LBB_PS1.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
LBB_PS1_obfuscated.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral6
Sample
LBB_PS1_pass.ps1
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
LBB_Rundll32.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
LBB_Rundll32_pass.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral10
Sample
LBB_pass.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
LBB_ReflectiveDll_DllMain.dll
-
Size
113KB
-
MD5
ab5bdca69285d4838af12117c910bfde
-
SHA1
208060cf988f1702124504bae0c6a4addbeb6db3
-
SHA256
5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd
-
SHA512
33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547
-
SSDEEP
3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation 855C.tmp -
Deletes itself 1 IoCs
pid Process 2388 855C.tmp -
Executes dropped EXE 1 IoCs
pid Process 2388 855C.tmp -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4536 rundll32.exe 4536 rundll32.exe 2388 855C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 855C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp 2388 855C.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeDebugPrivilege 4536 rundll32.exe Token: 36 4536 rundll32.exe Token: SeImpersonatePrivilege 4536 rundll32.exe Token: SeIncBasePriorityPrivilege 4536 rundll32.exe Token: SeIncreaseQuotaPrivilege 4536 rundll32.exe Token: 33 4536 rundll32.exe Token: SeManageVolumePrivilege 4536 rundll32.exe Token: SeProfSingleProcessPrivilege 4536 rundll32.exe Token: SeRestorePrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSystemProfilePrivilege 4536 rundll32.exe Token: SeTakeOwnershipPrivilege 4536 rundll32.exe Token: SeShutdownPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeDebugPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeDebugPrivilege 4536 rundll32.exe Token: 36 4536 rundll32.exe Token: SeImpersonatePrivilege 4536 rundll32.exe Token: SeIncBasePriorityPrivilege 4536 rundll32.exe Token: SeIncreaseQuotaPrivilege 4536 rundll32.exe Token: 33 4536 rundll32.exe Token: SeManageVolumePrivilege 4536 rundll32.exe Token: SeProfSingleProcessPrivilege 4536 rundll32.exe Token: SeRestorePrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSystemProfilePrivilege 4536 rundll32.exe Token: SeTakeOwnershipPrivilege 4536 rundll32.exe Token: SeShutdownPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeSecurityPrivilege 4536 rundll32.exe Token: SeBackupPrivilege 4536 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4068 wrote to memory of 4536 4068 rundll32.exe 81 PID 4068 wrote to memory of 4536 4068 rundll32.exe 81 PID 4068 wrote to memory of 4536 4068 rundll32.exe 81 PID 4536 wrote to memory of 2388 4536 rundll32.exe 83 PID 4536 wrote to memory of 2388 4536 rundll32.exe 83 PID 4536 wrote to memory of 2388 4536 rundll32.exe 83 PID 4536 wrote to memory of 2388 4536 rundll32.exe 83 PID 2388 wrote to memory of 2604 2388 855C.tmp 84 PID 2388 wrote to memory of 2604 2388 855C.tmp 84 PID 2388 wrote to memory of 2604 2388 855C.tmp 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LBB_ReflectiveDll_DllMain.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LBB_ReflectiveDll_DllMain.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\ProgramData\855C.tmp"C:\ProgramData\855C.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\855C.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
113KB
MD5daf778578e5163df1a368946dcbe3034
SHA10bb4df363f99db8f9932e4e8eab97d705e9931e4
SHA256b6773f159083341745d49ab85890b1c60bd093268b7206cbfaa04a716978aca9
SHA512692b45f8d0c5ea00dc71b44220a46e48ab965acd20c12579a52174ed0c1758d2baaeea3c7408b06f7ea9b33c46a39f4ff646dc37be7dd86a917be1c7e0db97a8