Extracted

• • Target

    LB3.exe

  • Size

    147KB

  • MD5

    7d22648cc82617f20b631d91ad4112d0

  • SHA1

    491f2cda7ba7500ad67d686faa6d866f1b49c708

  • SHA256

    dee450c1654e768ba58402bebd7834c2f36a321284d736917d76934578992bca

  • SHA512

    a5e48ca717a49977078f35a98b560460ccafefef87f17925e3807d0971dfd896441f08c1646708fc517ad89787a799527b77c076d219d4014384e5486c708f5d

  • SSDEEP

    3072:9qJogYkcSNm9V7DoZVNgBlA+GiQ4pfOT:9q2kc4m9tD9A+wc

  Score

  10^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (351) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2