Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    0b6da3700a1bf266d6d2bbf27fd23165

  • SHA1

    f64c2ebf3892e2d498f23b9a7886f67ebbbb2f28

  • SHA256

    4f1c9befcc873120533559c6915aaafd34497eba94d840db4ed28ceba2ebcd49

  • SHA512

    d39d6c9fa03ea2ed2c5aebf9f8811c1b3f3fca2092a8e25d980e8c0ab624d864d841bca9673c7fa843b44204d4f7fbcf1fcfe4fe3678e66a854ddfbf67240cce

  • SSDEEP

    3072:t6glyuxE4GsUPnliByocWep4dd1fL5B594:t6gDBGpvEByocWeAfFn9

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\MWlosDcWa.README.txt

Ransom Note
~~~ RdpLocker Recode the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted >>>> Info Our encryption is undetectable and we can encrypt terabytes of data in minutes. A unique public and private key is generated exclusively for you. No one else can decrypt the files we have encrypted. Our services are cheap and reliable. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can contact us using Tox messenger without registration and SMS to negotiate the price. https://tox.chat/download.html Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. RdpLocker Tox ID: CE93C52BFAFA16570B9821C7D0EE7999C78475AD964ACEEF80767B653210D27E3CE6C88F61A5
URLs

https://tox.chat/download.html

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4284
    • C:\ProgramData\E168.tmp
      "C:\ProgramData\E168.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E168.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3976
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2312
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{31AB9A91-9476-4377-BC3E-EC8787E25B2D}.xps" 133808225633430000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1488
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MWlosDcWa.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\BBBBBBBBBBB
      Filesize

      129B

      MD5

      2a6d511943726f35b30f789dc12988be

      SHA1

      4adc33aba1bf80d37acfcee944189ebb1f479810

      SHA256

      3b55238e8ad9147086ef92e268af5dd48226f60b91ee6ee8e5bf95db11e3f3b8

      SHA512

      72260d1bdb7890a52281f9e4ca0ddbd5141d4bf56a1105547b0aeaa6129aefab18ff2dc557af7aaebd5969795caa8c9d521ca9406160ff41e2563675aecbc323

      Download Submit

    • C:\MWlosDcWa.README.txt
      Filesize

      1KB

      MD5

      0fc102c3422c21c1aadfaa1a656dc970

      SHA1

      49cc540c7a5eaa4f12cacdb21e788335d535ccc0

      SHA256

      fe49a063ebe0b4154321062c1110876bab03710ab367d8a5e3dee6e75fc79029

      SHA512

      8cf822ec2d69b4f4bfdc3303b142ff21315d6e5483a98efa834d039f68a6f57e249d374d3c127a65f524123464532afa5700b4dd4808236b082f7a420a260ab0

      Download Submit

    • C:\ProgramData\E168.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      147KB

      MD5

      a9ffce2d7cab6361dfbb4e28a2fa1516

      SHA1

      2c072aec898d20712229fd7781c51c42a9e85039

      SHA256

      6e663fea0c890af3371af5c5b695febdb834eb47b76b2c4979be2cb30fee4757

      SHA512

      ebbe0891d9224df92c533b45fc856d6b87b18b1f4b0f70f9ec05b0d5b5291c6462d9398bfcc494338ef2adbf06a56c1f22fcec61ba4dbb6738fefb435e839480

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      814c59b808abd1ad21d7befdbdeee5b9

      SHA1

      de73764a4508ed597a0f723b588e543f63daffd9

      SHA256

      66c6c48312cac2f0c88a5ad9c3d93cda02ae0d752d950e47f5d672d7a8a9da6a

      SHA512

      cfbb752c7dd777bf03f66b68222aabbd4b76208664a41a306e4fdcf7f56fda2c5053f104621d783e3ca5c74eda59b5eebb490c8fef3c7fa21a2639e53c40491b

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      f8324bb6c3a926d215ca9c0aad86805f

      SHA1

      11dba7867eb6140567b93386367ff4613b0f342d

      SHA256

      f373a5f2f658927dcbba77fa5e319200292070a200392d1526045ef1b85bddd2

      SHA512

      662f42493b9d4f6331f6deefaa5627dd7c7ccbb796ec336969e5567c745d56c4307829173de2e319792ae12fda6b3d21217d0c7b2de6e155761baa94877ae26b

      Download Submit

    • memory/1488-2984-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-2996-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-3055-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-3056-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-3057-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-2988-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-2994-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-3054-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-2989-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-3016-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-3015-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-2966-0x00000000024C0000-0x00000000024D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-2-0x00000000024C0000-0x00000000024D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-0-0x00000000024C0000-0x00000000024D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-1-0x00000000024C0000-0x00000000024D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-2965-0x00000000024C0000-0x00000000024D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-2967-0x00000000024C0000-0x00000000024D0000-memory.dmp

      Filesize

      64KB

      Download