Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-22.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
100s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 14:36
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
LBB_PS1.ps1
-
Size
466KB
-
MD5
17a7cd1ead2d35ed5d69c71d4fd7386d
-
SHA1
734400d4444b88fe3848c80e3dba2ad9a5155c56
-
SHA256
20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
-
SHA512
7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA
Malware Config
Signatures
-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation E687.tmp -
Deletes itself 1 IoCs
pid Process 3644 E687.tmp -
Executes dropped EXE 1 IoCs
pid Process 3644 E687.tmp -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kF0wnCN24.bmp" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kF0wnCN24.bmp" powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp -
pid Process 2480 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E687.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon\ = "C:\\ProgramData\\kF0wnCN24.ico" powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24 powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kF0wnCN24\ = "kF0wnCN24" powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24\DefaultIcon powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kF0wnCN24 powershell.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2480 powershell.exe 2480 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp 3644 E687.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: 36 2208 powershell.exe Token: SeImpersonatePrivilege 2208 powershell.exe Token: SeIncBasePriorityPrivilege 2208 powershell.exe Token: SeIncreaseQuotaPrivilege 2208 powershell.exe Token: 33 2208 powershell.exe Token: SeManageVolumePrivilege 2208 powershell.exe Token: SeProfSingleProcessPrivilege 2208 powershell.exe Token: SeRestorePrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSystemProfilePrivilege 2208 powershell.exe Token: SeTakeOwnershipPrivilege 2208 powershell.exe Token: SeShutdownPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2208 2480 powershell.exe 84 PID 2480 wrote to memory of 2208 2480 powershell.exe 84 PID 2480 wrote to memory of 2208 2480 powershell.exe 84 PID 2208 wrote to memory of 3644 2208 powershell.exe 97 PID 2208 wrote to memory of 3644 2208 powershell.exe 97 PID 2208 wrote to memory of 3644 2208 powershell.exe 97 PID 2208 wrote to memory of 3644 2208 powershell.exe 97 PID 3644 wrote to memory of 2480 3644 E687.tmp 106 PID 3644 wrote to memory of 2480 3644 E687.tmp 106 PID 3644 wrote to memory of 2480 3644 E687.tmp 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\LBB_PS1.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\LBB_PS1.ps12⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\ProgramData\E687.tmp"C:\ProgramData\E687.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E687.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
1KB
MD5ca6e5843fe0f30068ddef94b0b542eca
SHA11527177e5ccfe0041918840613af104d2ba8a1c8
SHA2562655330566a9953364d9e13e939b3938e96a7b752d4f65f9586841b777ef137a
SHA5123296343e54290ae3c86d7f2deac6fe3e98a0b63428132aea9ae9b1d17805c7cadea183245e7ae9ee2d785430565989f0cd27a49600e7d8c61db66d151450b0e9
-
Filesize
466KB
MD5c9154d1f956d5b9ac91cf57abe5d3825
SHA16fe707ba3bfbb9b1cf3a142aa92a9e7c47eb61b0
SHA25616b14cd03b5b90a584d200b3c41f1a20cf91cfd94860c81ae8b90058ba1882ce
SHA512a18e6834f056534e47327d58b03ddd75b3d02be935ad15d66b79743a778dd60a974e9ab49715dc611b8c68598ebf78b25395fc43296f1e48b48d21c00e2c1b8a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5e118a94b450f3ff42c46c239603a3d1f
SHA1e7b4532ee2a4f299419066c4276cc29d8f04009d
SHA25602b8dd3500554be91c930eb9499f8ce6f87817561202fed9bebb19d6975d95f0
SHA512e96a3741c5e5c0968d13f0774c0dd503bc6e82738c6a61fc4a98a4a532a6f46cc6cb374bcd4ca349c7975d5c484f1a458e51b0249ef8556de3af4ec36c52c9f2