4f1c9befcc873120533559c6915aaafd34497eba94d840db4ed28ceba2ebcd49

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

147KB
MD5

0b6da3700a1bf266d6d2bbf27fd23165
SHA1

f64c2ebf3892e2d498f23b9a7886f67ebbbb2f28
SHA256

4f1c9befcc873120533559c6915aaafd34497eba94d840db4ed28ceba2ebcd49
SHA512

d39d6c9fa03ea2ed2c5aebf9f8811c1b3f3fca2092a8e25d980e8c0ab624d864d841bca9673c7fa843b44204d4f7fbcf1fcfe4fe3678e66a854ddfbf67240cce
SSDEEP

3072:t6glyuxE4GsUPnliByocWep4dd1fL5B594:t6gDBGpvEByocWeAfFn9

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\MWlosDcWa.README.txt

Ransom Note

~~~ RdpLocker Recode the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted >>>> Info Our encryption is undetectable and we can encrypt terabytes of data in minutes. A unique public and private key is generated exclusively for you. No one else can decrypt the files we have encrypted. Our services are cheap and reliable. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can contact us using Tox messenger without registration and SMS to negotiate the price. https://tox.chat/download.html Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. RdpLocker Tox ID: CE93C52BFAFA16570B9821C7D0EE7999C78475AD964ACEEF80767B653210D27E3CE6C88F61A5

URLs

https://tox.chat/download.html

Signatures

Deletes itself 1 IoCs

pid	Process
1880	E041.tmp

Executes dropped EXE 1 IoCs

pid	Process
1880	E041.tmp

Loads dropped DLL 1 IoCs

pid	Process
2424	LB3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
1880	E041.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E041.tmp

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe
2424	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp
1880	E041.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeDebugPrivilege	2424	LB3.exe
Token: 36	2424	LB3.exe
Token: SeImpersonatePrivilege	2424	LB3.exe
Token: SeIncBasePriorityPrivilege	2424	LB3.exe
Token: SeIncreaseQuotaPrivilege	2424	LB3.exe
Token: 33	2424	LB3.exe
Token: SeManageVolumePrivilege	2424	LB3.exe
Token: SeProfSingleProcessPrivilege	2424	LB3.exe
Token: SeRestorePrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSystemProfilePrivilege	2424	LB3.exe
Token: SeTakeOwnershipPrivilege	2424	LB3.exe
Token: SeShutdownPrivilege	2424	LB3.exe
Token: SeDebugPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeBackupPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe
Token: SeSecurityPrivilege	2424	LB3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1880	2424	LB3.exe	33
PID 2424 wrote to memory of 1880	2424	LB3.exe	33
PID 2424 wrote to memory of 1880	2424	LB3.exe	33
PID 2424 wrote to memory of 1880	2424	LB3.exe	33
PID 2424 wrote to memory of 1880	2424	LB3.exe	33
PID 1880 wrote to memory of 1408	1880	E041.tmp	34
PID 1880 wrote to memory of 1408	1880	E041.tmp	34
PID 1880 wrote to memory of 1408	1880	E041.tmp	34
PID 1880 wrote to memory of 1408	1880	E041.tmp	34

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\ProgramData\E041.tmp
  "C:\ProgramData\E041.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E041.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini

Filesize
129B

MD5
f3c698e652185afdd27f429a5ca158a0

SHA1
213d7c8ea3dcacf919ad2687aba9cfac4f137b72

SHA256
a630927c6eefdf053bccb26adff3db5817d04523a58f648d135420da6bae0d0c

SHA512
40bc6b73ea26ef27c85bc4935211c3dc2e59f006d2e298a7e2fd5ad29b2ca726a018aa104d85e7355a00d6a62aab3faedc645bd2a9728959fe13c092665f06d8

Download Submit
C:\MWlosDcWa.README.txt

Filesize
1KB

MD5
0fc102c3422c21c1aadfaa1a656dc970

SHA1
49cc540c7a5eaa4f12cacdb21e788335d535ccc0

SHA256
fe49a063ebe0b4154321062c1110876bab03710ab367d8a5e3dee6e75fc79029

SHA512
8cf822ec2d69b4f4bfdc3303b142ff21315d6e5483a98efa834d039f68a6f57e249d374d3c127a65f524123464532afa5700b4dd4808236b082f7a420a260ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
147KB

MD5
21460034c4db2dac78ecf6d8433cb78f

SHA1
d848dac67b1aa842ff1aacbd246d5140419d6e64

SHA256
1d5a158178eebf8e0002cbf3b814072433288e52223da3f9964521a9e793604c

SHA512
ac788ee71f4e5f98b6fddbe395b6e5a89874019e08fa1f2b9986084ac9cd1aaff8d334553778337a3dbb5c06f17817eb448a6d50a52b3b30f66a615a4958e1a6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\DDDDDDDDDDD

Filesize
129B

MD5
d0936a77ab9f2ad7982b7db4915be78c

SHA1
d0976d3635b1e67743538ac17ce83d36dc34feec

SHA256
020533b8f65ad47a389a6a5f9011bb9912b515b9188e9e792d4e62172a7a4ea6

SHA512
fc70b8a0ec3a321bc339e10ddc63df00bcda16c97107ed417246af46fd39d33822fd3204dd5ac0a703e16dd9f18eac376ba73191a177b5c512c49489f70fc151

Download Submit
\ProgramData\E041.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1880-877-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1880-876-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1880-875-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/1880-874-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/1880-873-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1880-907-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1880-906-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2424-0-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2424-1-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download