Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Resubmissions

26-12-2024 21:28

241226-1bawba1mcj 10

25-12-2024 16:52

241225-vdh2tayphx 10

Analysis

  • max time kernel
    94s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    67008d6538e43ec4ef57359f7ca4f15f

  • SHA1

    65078b6e640146bde300af0a6d70b91f45244343

  • SHA256

    cb43fff6739186bdf2af5d4f34624c020196616cdae86fb755bf3d250bbe9b12

  • SHA512

    9a9e281dcf6a783cb69f6ab9703af716dd304883ad1a92a17bf4498745b563b2560e4624d839cc7577776d31e22f596d821a183c4c4ec350d7fa7a8f0e44db54

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepTN5GqoLVB5FHONF:V6gDBGpvEByocWeX/oZB7u/

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\IoBMyuygl.README.txt

Ransom Note
~~~ RdpLocker Recode the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted >>>> Info Our encryption is undetectable and we can encrypt terabytes of data in minutes. A unique public and private key is generated exclusively for you. No one else can decrypt the files we have encrypted. Our services are cheap and reliable. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can contact us using Tox messenger without registration and SMS to negotiate the price. https://tox.chat/download.html Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. RdpLocker Tox ID: CE93C52BFAFA16570B9821C7D0EE7999C78475AD964ACEEF80767B653210D27E3CE6C88F61A5
URLs

https://tox.chat/download.html

Signatures

  • Renames multiple (646) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 7 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:536
    • C:\ProgramData\EA22.tmp
      "C:\ProgramData\EA22.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EA22.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2472
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4016
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IoBMyuygl.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1372
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{97DC4684-4F4F-4F61-B705-2243DEC49F1F}.xps" 133796191546410000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1284
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:436
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\CCCCCCCCCCC
      Filesize

      129B

      MD5

      8a91983f28b0987413e55d50f12e2be6

      SHA1

      ccba56b8de719c641efbd5a2415962f92fbf5667

      SHA256

      13ba52b63efbf8f880bc82c4f522ff88178819d3ad17ecfd435b974ed4bde16b

      SHA512

      2e1d806ac7949a093e87c3e3d95405fe318b61595d0129395deac0a49bd346c90d33fb7172f142cba7e81f32744bdef738b1af4ab678973179a6e13d7e1f9575

      Download Submit

    • C:\IoBMyuygl.README.txt
      Filesize

      1KB

      MD5

      0fc102c3422c21c1aadfaa1a656dc970

      SHA1

      49cc540c7a5eaa4f12cacdb21e788335d535ccc0

      SHA256

      fe49a063ebe0b4154321062c1110876bab03710ab367d8a5e3dee6e75fc79029

      SHA512

      8cf822ec2d69b4f4bfdc3303b142ff21315d6e5483a98efa834d039f68a6f57e249d374d3c127a65f524123464532afa5700b4dd4808236b082f7a420a260ab0

      Download Submit

    • C:\ProgramData\EA22.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEE
      Filesize

      147KB

      MD5

      9fafbe51a6b91ec47a137a6272b7e11e

      SHA1

      33261d8c2eece0c5bea3e7077c85e08bac7eda50

      SHA256

      e2fbaca85e2e549d3ec3d724a15a561385532ef64e12065c6373503597ea3e67

      SHA512

      ad01da863e05b74fd9adbb11cb34ff8702f7d5172a6449f5519d5a06b5abd2a8df80dc6322243fa1e2579af2107569ac07dcce805c1adc5ad732bb8b8bee6578

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      81ed19227983dee7a6e26cd04ca7fd71

      SHA1

      3042614fc5a8323a57f29c8a7197dd4d957e078e

      SHA256

      79f0d9b49645ba2ffb199d4ed06aa2c0b02de78c89944b7c4b2bc5da36937ddc

      SHA512

      0cb026031a6634d9811434146c8ea19e887a3956c49233e5d786d8b00fb8fc710650a32d67c96d2b08e1a952e7f1727eda9fbae4772abb40fc49907fbb1946fa

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      64c06e9533a241940b3adb8f1af9c53e

      SHA1

      c2e370367ba3c602d3331f974d9d19c0e83dc432

      SHA256

      6e225f6d9d7503a21542840e7e35f8ea860379b78f4ec464c7332f5582db762f

      SHA512

      08b022abd639cd707dde3342560a29153c59f907104e2e4efc200dffe99f2b70ea0565e74db24efc9a3ffc2eaf7c4b72bd79c02c027d947d428a1c79c6aadbae

      Download Submit

    • memory/1284-3041-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3047-0x00007FFEA2BB0000-0x00007FFEA2BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3114-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3040-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3115-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3039-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3038-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3042-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3116-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3117-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1284-3076-0x00007FFEA2BB0000-0x00007FFEA2BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-0-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-2-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-3024-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-3025-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-1-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-3023-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download