Analysis

  • max time kernel
    107s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 14:36

General

  • Target

    LBB.exe

  • Size

    160KB

  • MD5

    d1986caa455ffa11b46341e837777e52

  • SHA1

    c045c2be676ebba04d7403f3636c7adb685a4011

  • SHA256

    e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407

  • SHA512

    ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359

  • SSDEEP

    3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+

Malware Config

Signatures

  • Renames multiple (137) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LBB.exe
    "C:\Users\Admin\AppData\Local\Temp\LBB.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\ProgramData\A335.tmp
      "C:\ProgramData\A335.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A335.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3372
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4676
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kF0wnCN24.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:5064
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\EEEEEEEEEEE

    Filesize

    129B

    MD5

    26b27ad879d5e000958c5fd7515a3b97

    SHA1

    6e34faf0a4d7f55201befd35407b6e63b04c51b0

    SHA256

    debc8b69c7f24b583e57a42b1634e46f0440a985a40b75026de78950849408e5

    SHA512

    16aebd47afc6ef8ab21932aaf139e22b0770d06c12b5854d9902d95d7a643ed404cff086317834040a07512a49fe02d6274955330d1b68f1b4842efef9baf03a

  • C:\ProgramData\A335.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDD

    Filesize

    160KB

    MD5

    019a60983977f0f5332db7c7c08cd3d7

    SHA1

    77098e981b3c62e4759331d7f38fe17b16268ef2

    SHA256

    0e232ec18072fa99f3ca54a4eec66a5145bd2e5d4b470bc845fdf8a61ea33646

    SHA512

    2f7eabbb27b43ed923879327aa1e6f90b28aa6d4409942896df05ec588ed36cbc1c05fae82f30543143c9a3755d2851cd75eb5596ceb718e772b9e1367fe34a3

  • C:\Users\kF0wnCN24.README.txt

    Filesize

    6KB

    MD5

    dadf854d3adb837ff3493e75207851cf

    SHA1

    422dded8ec95d2ff0335fd6ad8498cda508f5c17

    SHA256

    cd21f86e05bdb32c3119302c47d9f6040a0fd62caf86fff0088c5b9310594218

    SHA512

    6b973f563656367a57d5eb8892125e7ebc9e287ddec17167bc1eb9f557d26b54a84fa6df56e1e7012567a5a43c0de52f454943f3612b7082dff4539977cf8045

  • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    9ee8cc26057504fd87dfbca1f2013fb5

    SHA1

    cdc553c41856bb0dbe403a8c98594d63ffbc155f

    SHA256

    2bbc05304b686df7dfbf5e9211d2d00cb5f8de3d0a67f460fc456df35536126d

    SHA512

    6a3841e68197091907e17f7a2703e37fcc48f8e891590afb3bbefeb0ec96c08457048077a797b69190ca81bafa196d97fc703505ba23a3f43d326d30c1e0b153

  • memory/768-0-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/768-2-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/768-1-0x00000000026C0000-0x00000000026D0000-memory.dmp

    Filesize

    64KB

  • memory/4784-291-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

  • memory/4784-292-0x0000000002370000-0x0000000002380000-memory.dmp

    Filesize

    64KB

  • memory/4784-295-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

  • memory/4784-294-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

  • memory/4784-293-0x0000000002370000-0x0000000002380000-memory.dmp

    Filesize

    64KB

  • memory/4784-325-0x0000000002370000-0x0000000002380000-memory.dmp

    Filesize

    64KB

  • memory/4784-324-0x0000000002370000-0x0000000002380000-memory.dmp

    Filesize

    64KB

  • memory/4784-329-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

  • memory/4784-330-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB