Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-22.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
18s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 14:36
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 1172 lbg32.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\X: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\Y: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\T: lbg32.exe File opened (read-only) \??\G: lbg32.exe File opened (read-only) \??\Z: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.1082917c7624 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.8076f5142e5c lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\osmuxmui.msi.16.en-us.vreg.dat.b0bd0e2432fc lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif.1d8e90718339 lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf.8c66e9203278 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.93811101f3a9 lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.15b3a59f9967 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.2c81ae404e18 lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt.7d85fb13214b lbg32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.5aaef74a48b2 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.43c8883f21f7 lbg32.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.ce20ede2ec3a lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.4084c734227c lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.1ba7bfb98771 lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt.03323293a15b lbg32.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.b2c1705e5086 lbg32.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.e45bbcb8ba70 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.28fad1c4beec lbg32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.28efc4dcd6e4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.1e352892846a lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.92d5440610ae lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.8b51d9696b41 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.a915bfcff5a7 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.e58e68999bd1 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.a9802ac5cb9d lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.e320c08f81d7 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.d2ed3c46703e lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.66a1c40a0452 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.6060030c02d4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.7b087017295f lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.afb11dc5cffd lbg32.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.e21effb280ea lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.66a2c70e0456 lbg32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.15aabc898b61 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.1ad6cf9a98d2 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.1ff0ec939deb lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.465a1fde2496 lbg32.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.70c0b31c12c4 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.b2a71622d08a lbg32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat.355264f9fb01 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.4d713fe3d19b lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.f3c535a19349 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.2095b674423c lbg32.exe File created C:\Program Files\VideoLAN\VLC\skins\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.437a3ad3e18b lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.1b475ff98731 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.cf8448a3b5fb lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.b6f94c2a3482 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.05f8fe99a7d1 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.b54dfb6b6983 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.5f722ed7ddaf lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.46fabfdee496 lbg32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.03e7e7b1aff9 lbg32.exe File created C:\Program Files\Internet Explorer\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Java\jre-1.8\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.2782a64f4517 lbg32.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.95fb6d0f0967 lbg32.exe File created C:\Program Files (x86)\Common Files\System\de-DE\Restore-My-Files.txt lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1172 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1172 lbg32.exe Token: SeBackupPrivilege 232 vssvc.exe Token: SeRestorePrivilege 232 vssvc.exe Token: SeAuditPrivilege 232 vssvc.exe Token: SeIncreaseQuotaPrivilege 2524 WMIC.exe Token: SeSecurityPrivilege 2524 WMIC.exe Token: SeTakeOwnershipPrivilege 2524 WMIC.exe Token: SeLoadDriverPrivilege 2524 WMIC.exe Token: SeSystemProfilePrivilege 2524 WMIC.exe Token: SeSystemtimePrivilege 2524 WMIC.exe Token: SeProfSingleProcessPrivilege 2524 WMIC.exe Token: SeIncBasePriorityPrivilege 2524 WMIC.exe Token: SeCreatePagefilePrivilege 2524 WMIC.exe Token: SeBackupPrivilege 2524 WMIC.exe Token: SeRestorePrivilege 2524 WMIC.exe Token: SeShutdownPrivilege 2524 WMIC.exe Token: SeDebugPrivilege 2524 WMIC.exe Token: SeSystemEnvironmentPrivilege 2524 WMIC.exe Token: SeRemoteShutdownPrivilege 2524 WMIC.exe Token: SeUndockPrivilege 2524 WMIC.exe Token: SeManageVolumePrivilege 2524 WMIC.exe Token: 33 2524 WMIC.exe Token: 34 2524 WMIC.exe Token: 35 2524 WMIC.exe Token: 36 2524 WMIC.exe Token: SeIncreaseQuotaPrivilege 2524 WMIC.exe Token: SeSecurityPrivilege 2524 WMIC.exe Token: SeTakeOwnershipPrivilege 2524 WMIC.exe Token: SeLoadDriverPrivilege 2524 WMIC.exe Token: SeSystemProfilePrivilege 2524 WMIC.exe Token: SeSystemtimePrivilege 2524 WMIC.exe Token: SeProfSingleProcessPrivilege 2524 WMIC.exe Token: SeIncBasePriorityPrivilege 2524 WMIC.exe Token: SeCreatePagefilePrivilege 2524 WMIC.exe Token: SeBackupPrivilege 2524 WMIC.exe Token: SeRestorePrivilege 2524 WMIC.exe Token: SeShutdownPrivilege 2524 WMIC.exe Token: SeDebugPrivilege 2524 WMIC.exe Token: SeSystemEnvironmentPrivilege 2524 WMIC.exe Token: SeRemoteShutdownPrivilege 2524 WMIC.exe Token: SeUndockPrivilege 2524 WMIC.exe Token: SeManageVolumePrivilege 2524 WMIC.exe Token: 33 2524 WMIC.exe Token: 34 2524 WMIC.exe Token: 35 2524 WMIC.exe Token: 36 2524 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1172 wrote to memory of 2088 1172 lbg32.exe 86 PID 1172 wrote to memory of 2088 1172 lbg32.exe 86 PID 2088 wrote to memory of 2524 2088 cmd.exe 88 PID 2088 wrote to memory of 2524 2088 cmd.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B73E7983-AA33-419D-BAF8-A90C0C18FA26}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B73E7983-AA33-419D-BAF8-A90C0C18FA26}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4