Overview

overview

10

Static

static

LB3_Reflec...yt.dll

windows7-x64

10

LB3_Reflec...yt.dll

windows10-2004-x64

9

Analysis

  • max time kernel
    481s
  • max time network
    483s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LB3_ReflectiveDll_DllMain-cyt.dll

  • Size

    2.0MB

  • MD5

    a0238fac8e650339116bbb380066d949

  • SHA1

    fcd5d98edcc42d320694185c7224a8168b1e8db2

  • SHA256

    5428902b4c844160cb0ee6282a078cbf24d87d46b061ede83ef21682d474cc15

  • SHA512

    5cc4adad36858a340edff775cc46d2b16515a919231cd4a8cb75929fd2ac02e2037a00c7a4c5620af05e5d842ea5f8a04ef7e2597cdddeb35f23465fac36f48d

  • SSDEEP

    24576:As6VSLLsktePr7vfObQywjVhK6at0EO1Z/wMmM6z/OQb2iZIiylxvl6tqbSwbWV:xgSLJmXviQyK/F1x6DBUN6Dq0

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#1
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\ProgramData\EEBA.tmp
        "C:\ProgramData\EEBA.tmp"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EEBA.tmp >> NUL
          4⤵
            PID:4008
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:984

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\EEBA.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit
      • C:\ProgramData\EEBA.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit
      • memory/392-132-0x0000000000000000-mapping.dmp
        Download
      • memory/392-133-0x0000000075140000-0x000000007563E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/392-134-0x0000000077B60000-0x0000000077D03000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/392-135-0x0000000075140000-0x000000007563E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/392-139-0x0000000075140000-0x000000007563E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/392-140-0x0000000077B60000-0x0000000077D03000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2416-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2416-141-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/4008-142-0x0000000000000000-mapping.dmp
        Download