744214bbe4ab445a2778cc66eb4a8a5b64673b245cfbf3500e14ed70f5906ef1

General

Target

LBLeak/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
47	4912	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4008	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 2072	3704	cmd.exe	89
PID 3704 wrote to memory of 2072	3704	cmd.exe	89
PID 3704 wrote to memory of 2072	3704	cmd.exe	89
PID 3704 wrote to memory of 3728	3704	cmd.exe	90
PID 3704 wrote to memory of 3728	3704	cmd.exe	90
PID 3704 wrote to memory of 3728	3704	cmd.exe	90
PID 3704 wrote to memory of 3808	3704	cmd.exe	91
PID 3704 wrote to memory of 3808	3704	cmd.exe	91
PID 3704 wrote to memory of 3808	3704	cmd.exe	91
PID 3704 wrote to memory of 1760	3704	cmd.exe	92
PID 3704 wrote to memory of 1760	3704	cmd.exe	92
PID 3704 wrote to memory of 1760	3704	cmd.exe	92
PID 3704 wrote to memory of 4988	3704	cmd.exe	93
PID 3704 wrote to memory of 4988	3704	cmd.exe	93
PID 3704 wrote to memory of 4988	3704	cmd.exe	93
PID 3704 wrote to memory of 2988	3704	cmd.exe	94
PID 3704 wrote to memory of 2988	3704	cmd.exe	94
PID 3704 wrote to memory of 2988	3704	cmd.exe	94
PID 3704 wrote to memory of 2980	3704	cmd.exe	95
PID 3704 wrote to memory of 2980	3704	cmd.exe	95
PID 3704 wrote to memory of 2980	3704	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LBLeak\Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTc0RDM2MDItNTdBRi00RjBELTkzRjktNkMxMjFFMjdDM0E5fSIgdXNlcmlkPSJ7MzhFMzhCQjEtREMzRi00MkY5LUEyRDctQTQ4OTNDQjczM0Q4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0U5Qzc4NUYtNDRERi00QkQwLUIyQjQtNjk3RkZCNkIzRDkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTQ4MDA0NzY4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key

Filesize
344B

MD5
bd827bfa655257a2c0ab7b47d247820c

SHA1
2087ddfa99de1a201761f659b32f099571a9fb5e

SHA256
1c9de852cdf64a31cade461ec3699e131a6428436a4a5a68c724b3c858813199

SHA512
9dbc2a177f00239667376a1eac76be748407a1ab88c2b6433e9e6446dc36c4393cff94e559d0a78650d53c44ad147d905c16a90eb15add1ab074f3eecb0c9136

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key

Filesize
344B

MD5
30e0a253c6b1106a39b859817f9be138

SHA1
ed81c83a5cfdb0c74cdb3125dd2979884a3c0afc

SHA256
b62511a4cde8e84cee52c0c53d242651f42156689f4bc604b707b35f76d56baf

SHA512
15531f993d16a6ee7a0f36314a079068515106f6cf882cea5cafdaf7d21fbd41c11df83eaa39bd57c9f051d1bba85738fd16989f38447e343114d096751d00a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads