Analysis
-
max time kernel
95s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 15:10
Behavioral task
behavioral1
Sample
LB3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
LB3.exe
Resource
win10v2004-20241007-en
General
-
Target
LB3.exe
-
Size
147KB
-
MD5
67008d6538e43ec4ef57359f7ca4f15f
-
SHA1
65078b6e640146bde300af0a6d70b91f45244343
-
SHA256
cb43fff6739186bdf2af5d4f34624c020196616cdae86fb755bf3d250bbe9b12
-
SHA512
9a9e281dcf6a783cb69f6ab9703af716dd304883ad1a92a17bf4498745b563b2560e4624d839cc7577776d31e22f596d821a183c4c4ec350d7fa7a8f0e44db54
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepTN5GqoLVB5FHONF:V6gDBGpvEByocWeX/oZB7u/
Malware Config
Extracted
C:\IoBMyuygl.README.txt
https://tox.chat/download.html
Signatures
-
Renames multiple (615) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation B595.tmp -
Deletes itself 1 IoCs
pid Process 4368 B595.tmp -
Executes dropped EXE 1 IoCs
pid Process 4368 B595.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP43k0wq5mv8nm8o8yxumr0boxc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP6d0i1m5b7mbbwu0j1fz3bth8c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP8vl9kl_4q3t5eeepxrqus23o.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\IoBMyuygl.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\IoBMyuygl.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 4368 B595.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B595.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.IoBMyuygl LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.IoBMyuygl\ = "IoBMyuygl" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IoBMyuygl\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IoBMyuygl LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IoBMyuygl\DefaultIcon\ = "C:\\ProgramData\\IoBMyuygl.ico" LB3.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 628 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4304 ONENOTE.EXE 4304 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe 2872 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp 4368 B595.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeDebugPrivilege 2872 LB3.exe Token: 36 2872 LB3.exe Token: SeImpersonatePrivilege 2872 LB3.exe Token: SeIncBasePriorityPrivilege 2872 LB3.exe Token: SeIncreaseQuotaPrivilege 2872 LB3.exe Token: 33 2872 LB3.exe Token: SeManageVolumePrivilege 2872 LB3.exe Token: SeProfSingleProcessPrivilege 2872 LB3.exe Token: SeRestorePrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSystemProfilePrivilege 2872 LB3.exe Token: SeTakeOwnershipPrivilege 2872 LB3.exe Token: SeShutdownPrivilege 2872 LB3.exe Token: SeDebugPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeBackupPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe Token: SeSecurityPrivilege 2872 LB3.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE 4304 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4284 2872 LB3.exe 89 PID 2872 wrote to memory of 4284 2872 LB3.exe 89 PID 1616 wrote to memory of 4304 1616 printfilterpipelinesvc.exe 95 PID 1616 wrote to memory of 4304 1616 printfilterpipelinesvc.exe 95 PID 2872 wrote to memory of 4368 2872 LB3.exe 96 PID 2872 wrote to memory of 4368 2872 LB3.exe 96 PID 2872 wrote to memory of 4368 2872 LB3.exe 96 PID 2872 wrote to memory of 4368 2872 LB3.exe 96 PID 4368 wrote to memory of 2456 4368 B595.tmp 97 PID 4368 wrote to memory of 2456 4368 B595.tmp 97 PID 4368 wrote to memory of 2456 4368 B595.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4284
-
-
C:\ProgramData\B595.tmp"C:\ProgramData\B595.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B595.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2456
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2824
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IoBMyuygl.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:628
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9724A583-ECE7-45D6-AC83-9A507A416071}.xps" 1337952662381400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5bc415e66c8fb3c7f6fe3fd59366a9c4f
SHA150687270512490f8ada885c0fdca6887a20cd4df
SHA256a610b05b553e5b0fca82edbb695324711a562ddff9a54f475ab7d62b08a91acc
SHA5120bd0218826a749f60c0f031a69d25b892bc945a5f4e955be91a63645aaf20299385750589394dae3fde6835926171d27beaeecd2c7505fce65bc20b4dd446b8a
-
Filesize
1KB
MD50fc102c3422c21c1aadfaa1a656dc970
SHA149cc540c7a5eaa4f12cacdb21e788335d535ccc0
SHA256fe49a063ebe0b4154321062c1110876bab03710ab367d8a5e3dee6e75fc79029
SHA5128cf822ec2d69b4f4bfdc3303b142ff21315d6e5483a98efa834d039f68a6f57e249d374d3c127a65f524123464532afa5700b4dd4808236b082f7a420a260ab0
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD5c0457ae234634f75669c4676db0d5ec2
SHA1981b0f2839cf367ad9e54c1c2e2da0da588e3d13
SHA2564742b174f9daa6df1302b63f900979d9effc5c2b92969265f359d6848eb94eb8
SHA5120465c513682d69ff3254f5b4340e174a8d71611b6774e1029391f9c51390ddbc20d3997f164c130e4ad5680f653d6f4f67f64853855735e0fc106511bcfbcad9
-
Filesize
4KB
MD54efd52fe6f1fdb5a4eb609a7476f4cb7
SHA1432801ef9b2af06c34fc383817cce95d08617f37
SHA2564248c722eae8d9d7a4f43047ca1ba9f59936055534c3e5dc743e9a7e5f1581d3
SHA51298d22ea56e38eac068719b700396139162bbbc7353e1b1ae854dc7818db6dc37c8fc9c2c3de7755c6133c9ab0f86ca8c5f10c6861c7439b9d6f86d8f25892c31
-
Filesize
129B
MD559585d7ab2063b9325bb729f258a69bd
SHA19bf10dcd01336b17161025a1063fb14168475271
SHA256a1a6ba3d11bfcbbd1b2489adc414f7f92adb40a4e794e3a857c5bc1c83c31344
SHA512d4ce3b223e2e8d3fe817ec262b05648fb84bf06cb9a158424e7ad677f805456dbdac937811cf855065925117b92f87b55542dbd0a3d7afd8dd496bcff57addc6