Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2025 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    7d22648cc82617f20b631d91ad4112d0

  • SHA1

    491f2cda7ba7500ad67d686faa6d866f1b49c708

  • SHA256

    dee450c1654e768ba58402bebd7834c2f36a321284d736917d76934578992bca

  • SHA512

    a5e48ca717a49977078f35a98b560460ccafefef87f17925e3807d0971dfd896441f08c1646708fc517ad89787a799527b77c076d219d4014384e5486c708f5d

  • SSDEEP

    3072:9qJogYkcSNm9V7DoZVNgBlA+GiQ4pfOT:9q2kc4m9tD9A+wc

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\hA89nI93a.README.txt

Ransom Note
======================================== !!! ATTENTION !!! Your Files Have Been Encrypted ======================================== What Happened? -------------- All of your important files, documents, photos, and databases have been encrypted using RSA. Without our decryption program, your files cannot be restored. Why Trust Us: -------------------- If we dont give you the decryption program after payment, nobody will trust us. What You Need to Do: -------------------- To get the decryption program, you must contact us. Steps to Restore Your Files: ---------------------------- 1. Open Discord and add the username ballets4. 2. Send us a message and mention your situation. 3. We will provide further instructions for obtaining the decryption program. Important Information: ----------------------- - DO NOT attempt to recover your files using third-party tools. They may damage your data and make recovery impossible. - DO NOT rename, move, or modify the encrypted files. This will also make decryption impossible. - Only we have the tools required to decrypt your files safely and effectively. We are waiting for your message. Time is critical. ======================================== Your Files. Your Responsibility. ========================================

Signatures

  • Renames multiple (351) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\ProgramData\5216.tmp
      "C:\ProgramData\5216.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5216.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1488
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      b4d40de3b232ebed4b1a3351a5acea67

      SHA1

      61c3ae6b3c0b7d7fe1be435157d9d7e2bfd8abd6

      SHA256

      a65d330f962fb93ef7fa416e383c76f7d5acee82fab07161303a2905a9645556

      SHA512

      09960c8a45cbd364dcb07d484c0b5fd66bf3b1cc443fc62a5192c7ba2ccc222f990588f6361a891514084af0cf22673dfcab79e46244b687caee45c2c757fdbb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDD
      Filesize

      147KB

      MD5

      ddac7c1e649bcf439821be234613587b

      SHA1

      6ea0a4c1836e726f23d028a8e18436116dca592b

      SHA256

      c6c0a5efe7002f324cfb20b99dc0cae620af5165b4f3031403a3b1b6478879a4

      SHA512

      5405304106cd53a1856cced0763b4cdc58870bdc01c8f4da18f4ac42a68d9f4ed01506b6fc700d5c99abaed90208f5b278e0b3354f050f07c91f1ff5eca6f022

      Download Submit

    • C:\hA89nI93a.README.txt
      Filesize

      1KB

      MD5

      9d929639812d5118dfac981317b00e8f

      SHA1

      d7cb2fc79cd41c6bfcc967ef9db0fd435f9a0251

      SHA256

      f1accb03261d1ae9e542b57b6e9f07bf0c0c18c12c8f59f8cb3961823420d039

      SHA512

      971b2ec4271b2b8ef8fc6e61a09174f183e93de50b7ee374afa76cfbaee51b3f3faa481c539106e3fcc243c27ade39ea163798e35692971ba2ecb928d7997171

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      20d5ce4a3f4841c666700f5d58bda525

      SHA1

      051c3386726d428ae57191248dc60db795e1db6b

      SHA256

      4903b7bc8ebd5625f71fe4e1429779ae21376761807f5c69b6794ae7803adb4f

      SHA512

      460d1da715163453a70944d04062a3cc5d707cf772c3663164efcec1110fd93825538ab41c332e3c16763b5c22f22bdce0632f52649ddc843d0564261e86eb6c

      Download Submit

    • \ProgramData\5216.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2088-0-0x0000000000D10000-0x0000000000D50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2352-878-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-877-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-876-0x00000000007B0000-0x00000000007F0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2352-875-0x00000000007B0000-0x00000000007F0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2352-873-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-908-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-907-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download