Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ransom.zip
windows7-x64
ransom.zip
windows10-2004-x64
ransom.zip
android-13-x64
ransom.zip
android-13-x64
ransom.zip
macos-10.15-amd64
ransom.zip
ubuntu-18.04-amd64
ransom.zip
debian-9-armhf
ransom.zip
debian-9-mips
ransom.zip
debian-9-mipsel
ransom/Bui...ID.txt
windows7-x64
ransom/Bui...ID.txt
windows10-2004-x64
ransom/Bui...ID.txt
android-9-x86
ransom/Bui...ID.txt
android-13-x64
ransom/Bui...ID.txt
macos-10.15-amd64
ransom/Bui...ID.txt
ubuntu-18.04-amd64
ransom/Bui...ID.txt
debian-9-armhf
ransom/Bui...ID.txt
debian-9-mips
ransom/Bui...ID.txt
debian-9-mipsel
ransom/Build/LB3.exe
windows7-x64
9ransom/Build/LB3.exe
windows10-2004-x64
9ransom/Build/LB3.exe
android-13-x64
ransom/Build/LB3.exe
android-13-x64
ransom/Build/LB3.exe
macos-10.15-amd64
ransom/Build/LB3.exe
ubuntu-18.04-amd64
ransom/Build/LB3.exe
debian-9-armhf
ransom/Build/LB3.exe
debian-9-mips
ransom/Build/LB3.exe
debian-9-mipsel
ransom/keygen.exe
windows7-x64
1ransom/keygen.exe
windows10-2004-x64
3ransom/keygen.exe
android-11-x64
ransom/keygen.exe
android-13-x64
ransom/keygen.exe
macos-10.15-amd64
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 11:06
Behavioral task
behavioral1
Sample
ransom.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ransom.zip
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
ransom.zip
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
ransom.zip
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral5
Sample
ransom.zip
Resource
macos-20241101-en
Behavioral task
behavioral6
Sample
ransom.zip
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral7
Sample
ransom.zip
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral8
Sample
ransom.zip
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral9
Sample
ransom.zip
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral10
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral13
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral14
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
macos-20241106-en
Behavioral task
behavioral15
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral16
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral17
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral18
Sample
ransom/Build/DECRYPTION_ID.txt
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral19
Sample
ransom/Build/LB3.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
ransom/Build/LB3.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral21
Sample
ransom/Build/LB3.exe
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral22
Sample
ransom/Build/LB3.exe
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral23
Sample
ransom/Build/LB3.exe
Resource
macos-20241101-en
Behavioral task
behavioral24
Sample
ransom/Build/LB3.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral25
Sample
ransom/Build/LB3.exe
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral26
Sample
ransom/Build/LB3.exe
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral27
Sample
ransom/Build/LB3.exe
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral28
Sample
ransom/keygen.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
ransom/keygen.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral30
Sample
ransom/keygen.exe
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral31
Sample
ransom/keygen.exe
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral32
Sample
ransom/keygen.exe
Resource
macos-20241106-en
General
-
Target
ransom/Build/LB3.exe
-
Size
145KB
-
MD5
b2cb742a43762106fc03fa1e26fd4f68
-
SHA1
aef4e9199b06b835b6e677c0910d3ed6fdf96ef3
-
SHA256
f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611
-
SHA512
d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975
-
SSDEEP
3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD
Malware Config
Signatures
-
Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2376 FA66.tmp -
Executes dropped EXE 1 IoCs
pid Process 2376 FA66.tmp -
Loads dropped DLL 1 IoCs
pid Process 2436 LB3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BNzPckH0e.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BNzPckH0e.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2376 FA66.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FA66.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon LB3.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe 2436 LB3.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp 2376 FA66.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeDebugPrivilege 2436 LB3.exe Token: 36 2436 LB3.exe Token: SeImpersonatePrivilege 2436 LB3.exe Token: SeIncBasePriorityPrivilege 2436 LB3.exe Token: SeIncreaseQuotaPrivilege 2436 LB3.exe Token: 33 2436 LB3.exe Token: SeManageVolumePrivilege 2436 LB3.exe Token: SeProfSingleProcessPrivilege 2436 LB3.exe Token: SeRestorePrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSystemProfilePrivilege 2436 LB3.exe Token: SeTakeOwnershipPrivilege 2436 LB3.exe Token: SeShutdownPrivilege 2436 LB3.exe Token: SeDebugPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeBackupPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe Token: SeSecurityPrivilege 2436 LB3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2376 2436 LB3.exe 33 PID 2436 wrote to memory of 2376 2436 LB3.exe 33 PID 2436 wrote to memory of 2376 2436 LB3.exe 33 PID 2436 wrote to memory of 2376 2436 LB3.exe 33 PID 2436 wrote to memory of 2376 2436 LB3.exe 33 PID 2376 wrote to memory of 1540 2376 FA66.tmp 34 PID 2376 wrote to memory of 1540 2376 FA66.tmp 34 PID 2376 wrote to memory of 1540 2376 FA66.tmp 34 PID 2376 wrote to memory of 1540 2376 FA66.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exeC:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe dsrm -subtree -noprompt -c user"http://+:443"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\ProgramData\FA66.tmp"C:\ProgramData\FA66.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FA66.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5764105f82149f12fa97003fb1d7956d7
SHA1d8f539e68926e7ebd9d883ee36369503dd4908b8
SHA256f6ecbcbd109866bbeb40f08f8bccea9019b1b1d6f356eb90ec7dfa49553e51d8
SHA5122e486ce1e22fbb4a62e7f6e1d18f8b329480a33313b9412ffa937366ca02225e0017b96ec43ddb275c7abef28b1ba86b14fb6ec5f2be17b3c4f70893f1fc4a2a
-
Filesize
93B
MD5eaebdbc14b3c2ecdcec757fc361f5589
SHA102ec5589c9f3c671c464671faaf1b8343d849490
SHA2560f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da
SHA51214f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f
-
Filesize
145KB
MD52273482adead36346442411e730a6b67
SHA18fe5689de7692f12073031275ba8b6251d97af95
SHA256a8287d64295b8e3a0be665f1838421a0d9368b4ea319c02ea7a3761bb89c5f25
SHA512887a2c57c0a44b54139cfa39add3bd753c4e21197ef942a5278bba4dc91d1ab3f03c934e2d22d4e75804b121907547103e88ef8481f6c40dbb3a37107f59528d
-
Filesize
129B
MD51321dbbb5d831690aec76cfdbad12710
SHA1b62c9d078e765cab4c1d6a846736d58674defb21
SHA256815443b4abb5b18234d222e66b59918ca069f721a0c52ae2a7596021874e9085
SHA512acfb1eee2b30d87801c9c846e6617f91a4c898c5892c29a8b061a6d20c5fa76b3a072244fa4a288acbf83eba579de2ed0d0ca7a7d1ed6344f25c045a4d52571b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf