Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Resubmissions

19-01-2025 12:18

250119-pg3yhaxjbs 10

26-12-2024 21:28

241226-1bawba1mcj 10

25-12-2024 16:52

241225-vdh2tayphx 10

Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3.exe

  • Size

    147KB

  • MD5

    67008d6538e43ec4ef57359f7ca4f15f

  • SHA1

    65078b6e640146bde300af0a6d70b91f45244343

  • SHA256

    cb43fff6739186bdf2af5d4f34624c020196616cdae86fb755bf3d250bbe9b12

  • SHA512

    9a9e281dcf6a783cb69f6ab9703af716dd304883ad1a92a17bf4498745b563b2560e4624d839cc7577776d31e22f596d821a183c4c4ec350d7fa7a8f0e44db54

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepTN5GqoLVB5FHONF:V6gDBGpvEByocWeX/oZB7u/

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\IoBMyuygl.README.txt

Ransom Note
~~~ RdpLocker Recode the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted >>>> Info Our encryption is undetectable and we can encrypt terabytes of data in minutes. A unique public and private key is generated exclusively for you. No one else can decrypt the files we have encrypted. Our services are cheap and reliable. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can contact us using Tox messenger without registration and SMS to negotiate the price. https://tox.chat/download.html Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. RdpLocker Tox ID: CE93C52BFAFA16570B9821C7D0EE7999C78475AD964ACEEF80767B653210D27E3CE6C88F61A5
URLs

https://tox.chat/download.html

Signatures

  • Renames multiple (626) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LB3.exe
    "C:\Users\Admin\AppData\Local\Temp\LB3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3736
    • C:\ProgramData\CC1B.tmp
      "C:\ProgramData\CC1B.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC1B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3032
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IoBMyuygl.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1060
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2948
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C7E0DAAF-CC49-4C55-AA7D-A8FBE736603D}.xps" 133817627649000000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:1904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\OOOOOOOOOOO
      Filesize

      129B

      MD5

      f3025555ae85dadb0fa0c7a5590f9d18

      SHA1

      d18ffc8cf5e93bf3e0f34d0eb540c42dd238aa4d

      SHA256

      8fc0b3cd1c14a51d608ce769a8b32e52037542d6b8dc70b0071f7b84d3563b6a

      SHA512

      8d89723f6f72a13d37efd1eed1ae5ef94c2a8d1053fdf089170b09d0d92f08ae7d1901520293f5b3592f44d72133a6ad6effdabd452d8cff3b371acbfd8f0771

      Download Submit

    • C:\IoBMyuygl.README.txt
      Filesize

      1KB

      MD5

      0fc102c3422c21c1aadfaa1a656dc970

      SHA1

      49cc540c7a5eaa4f12cacdb21e788335d535ccc0

      SHA256

      fe49a063ebe0b4154321062c1110876bab03710ab367d8a5e3dee6e75fc79029

      SHA512

      8cf822ec2d69b4f4bfdc3303b142ff21315d6e5483a98efa834d039f68a6f57e249d374d3c127a65f524123464532afa5700b4dd4808236b082f7a420a260ab0

      Download Submit

    • C:\ProgramData\CC1B.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CCCCCCC
      Filesize

      147KB

      MD5

      cffd9f4d4d10601f3df5f9730ddeb9cc

      SHA1

      b42045d56f2f5bf3371a15f4ae185738489b76fc

      SHA256

      307addc988a426c39b76d1bd2d4bbdf09f7d796ba4541c599174c976c383b27d

      SHA512

      9686b99b827c9edff8aaac7a40fbb02d6a69472685c5df737e2ac48a860a93a594fe94e4e5dee862441257277d3108a4619d0ee5c9d73d38287c93e96d53e582

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{EB241667-3476-4BB8-9835-E7F30CCBB6B0}
      Filesize

      4KB

      MD5

      d0e1702eaa9d6c3920b7c9b05b8b65b1

      SHA1

      f4c01f183c14bd8486aba6bd7470183a1b23182f

      SHA256

      fde85b126ed4ea66fc82a6239c613ac5a19055078ff3d5b01381730abe13f839

      SHA512

      c797e13419df77060f82251b295a5e2aad0dd712a66e6b090aa938ae49503c3e3eab08e57bab05916fcf4454bfc0755d7f9295f610ef8b242e9d0537e921f446

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      6e009f0c3b336110da738f3c238d5616

      SHA1

      27c6369e34db24639c57e4a443fcbff05a51ed62

      SHA256

      ed1a2391cfc1e4efb427d4e28e8ab95578dc522bd685261087090c5a36910fb7

      SHA512

      0fa1e3f561c8749f7e2e2fc3e216167db2ee181a9212a5f734972a07d62ead8617408a58421a53a0b4f6212b21b753ea2def42eefcecd06d3e5bf5515976c282

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      2761038fc669dfc2a163594499365a41

      SHA1

      815e8f3381620273d7c5bd75f17c5bec157f4dac

      SHA256

      3b5a4a4f58eb0f2da10d229efae81ff471ba20d0b018962186d720300d128a35

      SHA512

      4ac09ecadba3e1fc6187e7b58ba924591c5bf41166c68da7558476a725b577bb15f5e06bd89c6f48a224df96e88a135c1f0f6bd2fa38a9d8a015dc8f519efbfa

      Download Submit

    • memory/1904-2816-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-2814-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-2817-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-2815-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-2818-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-2823-0x00007FF968070000-0x00007FF968080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-2844-0x00007FF968070000-0x00007FF968080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2444-2802-0x0000000003200000-0x0000000003210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2444-2-0x0000000003200000-0x0000000003210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2444-2801-0x0000000003200000-0x0000000003210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2444-2799-0x0000000003200000-0x0000000003210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2444-0-0x0000000003200000-0x0000000003210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2444-1-0x0000000003200000-0x0000000003210000-memory.dmp

      Filesize

      64KB

      Download