Overview

overview

10

Static

static

LB3_Reflec...yt.dll

windows7-x64

10

LB3_Reflec...yt.dll

windows10-2004-x64

9

Analysis

  • max time kernel
    432s
  • max time network
    437s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2022 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3_ReflectiveDll_DllMain-cyt.dll

  • Size

    2.0MB

  • MD5

    a0238fac8e650339116bbb380066d949

  • SHA1

    fcd5d98edcc42d320694185c7224a8168b1e8db2

  • SHA256

    5428902b4c844160cb0ee6282a078cbf24d87d46b061ede83ef21682d474cc15

  • SHA512

    5cc4adad36858a340edff775cc46d2b16515a919231cd4a8cb75929fd2ac02e2037a00c7a4c5620af05e5d842ea5f8a04ef7e2597cdddeb35f23465fac36f48d

  • SSDEEP

    24576:As6VSLLsktePr7vfObQywjVhK6at0EO1Z/wMmM6z/OQb2iZIiylxvl6tqbSwbWV:xgSLJmXviQyK/F1x6DBUN6Dq0

Score
10/10
evasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\1GLtau6EZ.README.txt

Ransom Note
GREETINGS FROM BL00DY RANSOMWARE GANG What happened ? Your entire company network is penetrated and encrypted. All files on servers and computers locked and not usable Dont panic All files are decryptable We will recover all your files to normal What Bl00dy Gang take / steal from your company network ? We download your company important files / documents / databases/ mails / accounts We publish it to the public if you dont cooperate . What BL00DY Gang needs from YOU ? We expect nothing except appreciating our work PAY US in this way you appreciate our work How to contact the BL00DY Gang for ransom negotiations ? filedecryptionsupport@msgsafe.io Telegram hall of shame , where all company private data will be PUBLISHED?? https://t.me/bl00dy_Ransomware_Gang What Quarantees ? we are not a politically motivated group and we do not need anything other than your money. If you pay, we provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We will help protect your company from any other attacks ; we will give you tips to secure company network We always keep our promises. !!! BEWARE !!! If you have Backups and try to restore from backups . All entire company files / databases / everything will be posted online DON'T try to rename or modify encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! - Don't try because you will damage all the files Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Do not report to Police or FBI , they dont care about your business .They will tell you not to pay and you will lose all your files. Recovery Company Cannot help You . things will get rather worse . speak for yourself.
Emails

filedecryptionsupport@msgsafe.io

URLs

https://t.me/bl00dy_Ransomware_Gang

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 17 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#1
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Modifies extensions of user files
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\ProgramData\53EB.tmp
        "C:\ProgramData\53EB.tmp"
        3⤵
        • Executes dropped EXE
        • Deletes itself
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\53EB.tmp >> NUL
          4⤵
            PID:1936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\53EB.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit
    • C:\ProgramData\53EB.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit
    • \ProgramData\53EB.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit
    • memory/820-57-0x0000000074160000-0x000000007465E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/820-68-0x0000000074160000-0x000000007465E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/820-59-0x0000000074160000-0x000000007465E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/820-60-0x0000000077550000-0x00000000776D0000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/820-61-0x0000000074160000-0x000000007465E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/820-62-0x0000000002160000-0x00000000021A0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/820-58-0x0000000074660000-0x0000000074B5E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/820-70-0x0000000004CF5000-0x0000000004D06000-memory.dmp
      Filesize

      68KB

      Download
    • memory/820-56-0x0000000074660000-0x0000000074B5E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/820-55-0x0000000075091000-0x0000000075093000-memory.dmp
      Filesize

      8KB

      Download
    • memory/820-54-0x0000000000000000-mapping.dmp
      Download
    • memory/820-69-0x0000000077550000-0x00000000776D0000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1900-71-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1900-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1900-72-0x00000000020E5000-0x00000000020F6000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1936-73-0x0000000000000000-mapping.dmp
      Download