Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-22.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
107s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 14:36
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
LBB.exe
-
Size
160KB
-
MD5
d1986caa455ffa11b46341e837777e52
-
SHA1
c045c2be676ebba04d7403f3636c7adb685a4011
-
SHA256
e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407
-
SHA512
ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359
-
SSDEEP
3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+
Malware Config
Signatures
-
Renames multiple (137) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation A335.tmp -
Deletes itself 1 IoCs
pid Process 4784 A335.tmp -
Executes dropped EXE 1 IoCs
pid Process 4784 A335.tmp -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini LBB.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini LBB.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kF0wnCN24.bmp" LBB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kF0wnCN24.bmp" LBB.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LBB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A335.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop LBB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "10" LBB.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 LBB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" LBB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon LBB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 LBB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" LBB.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5064 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe 768 LBB.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp 4784 A335.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeDebugPrivilege 768 LBB.exe Token: 36 768 LBB.exe Token: SeImpersonatePrivilege 768 LBB.exe Token: SeIncBasePriorityPrivilege 768 LBB.exe Token: SeIncreaseQuotaPrivilege 768 LBB.exe Token: 33 768 LBB.exe Token: SeManageVolumePrivilege 768 LBB.exe Token: SeProfSingleProcessPrivilege 768 LBB.exe Token: SeRestorePrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSystemProfilePrivilege 768 LBB.exe Token: SeTakeOwnershipPrivilege 768 LBB.exe Token: SeShutdownPrivilege 768 LBB.exe Token: SeDebugPrivilege 768 LBB.exe Token: SeBackupPrivilege 4676 vssvc.exe Token: SeRestorePrivilege 4676 vssvc.exe Token: SeAuditPrivilege 4676 vssvc.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeSecurityPrivilege 768 LBB.exe Token: SeBackupPrivilege 768 LBB.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1496 OpenWith.exe 1496 OpenWith.exe 1496 OpenWith.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 768 wrote to memory of 4784 768 LBB.exe 86 PID 768 wrote to memory of 4784 768 LBB.exe 86 PID 768 wrote to memory of 4784 768 LBB.exe 86 PID 768 wrote to memory of 4784 768 LBB.exe 86 PID 4784 wrote to memory of 3372 4784 A335.tmp 97 PID 4784 wrote to memory of 3372 4784 A335.tmp 97 PID 4784 wrote to memory of 3372 4784 A335.tmp 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LBB.exe"C:\Users\Admin\AppData\Local\Temp\LBB.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\ProgramData\A335.tmp"C:\ProgramData\A335.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A335.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:3372
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kF0wnCN24.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5064
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD526b27ad879d5e000958c5fd7515a3b97
SHA16e34faf0a4d7f55201befd35407b6e63b04c51b0
SHA256debc8b69c7f24b583e57a42b1634e46f0440a985a40b75026de78950849408e5
SHA51216aebd47afc6ef8ab21932aaf139e22b0770d06c12b5854d9902d95d7a643ed404cff086317834040a07512a49fe02d6274955330d1b68f1b4842efef9baf03a
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
160KB
MD5019a60983977f0f5332db7c7c08cd3d7
SHA177098e981b3c62e4759331d7f38fe17b16268ef2
SHA2560e232ec18072fa99f3ca54a4eec66a5145bd2e5d4b470bc845fdf8a61ea33646
SHA5122f7eabbb27b43ed923879327aa1e6f90b28aa6d4409942896df05ec588ed36cbc1c05fae82f30543143c9a3755d2851cd75eb5596ceb718e772b9e1367fe34a3
-
Filesize
6KB
MD5dadf854d3adb837ff3493e75207851cf
SHA1422dded8ec95d2ff0335fd6ad8498cda508f5c17
SHA256cd21f86e05bdb32c3119302c47d9f6040a0fd62caf86fff0088c5b9310594218
SHA5126b973f563656367a57d5eb8892125e7ebc9e287ddec17167bc1eb9f557d26b54a84fa6df56e1e7012567a5a43c0de52f454943f3612b7082dff4539977cf8045
-
Filesize
129B
MD59ee8cc26057504fd87dfbca1f2013fb5
SHA1cdc553c41856bb0dbe403a8c98594d63ffbc155f
SHA2562bbc05304b686df7dfbf5e9211d2d00cb5f8de3d0a67f460fc456df35536126d
SHA5126a3841e68197091907e17f7a2703e37fcc48f8e891590afb3bbefeb0ec96c08457048077a797b69190ca81bafa196d97fc703505ba23a3f43d326d30c1e0b153