Analysis
-
max time kernel
481s -
max time network
483s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
LB3_ReflectiveDll_DllMain-cyt.dll
Resource
win7-20220901-en
General
-
Target
LB3_ReflectiveDll_DllMain-cyt.dll
-
Size
2.0MB
-
MD5
a0238fac8e650339116bbb380066d949
-
SHA1
fcd5d98edcc42d320694185c7224a8168b1e8db2
-
SHA256
5428902b4c844160cb0ee6282a078cbf24d87d46b061ede83ef21682d474cc15
-
SHA512
5cc4adad36858a340edff775cc46d2b16515a919231cd4a8cb75929fd2ac02e2037a00c7a4c5620af05e5d842ea5f8a04ef7e2597cdddeb35f23465fac36f48d
-
SSDEEP
24576:As6VSLLsktePr7vfObQywjVhK6at0EO1Z/wMmM6z/OQb2iZIiylxvl6tqbSwbWV:xgSLJmXviQyK/F1x6DBUN6Dq0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
EEBA.tmppid process 2416 EEBA.tmp -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EEBA.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation EEBA.tmp -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
rundll32.exeEEBA.tmppid process 392 rundll32.exe 2416 EEBA.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 392 rundll32.exe 392 rundll32.exe 392 rundll32.exe 392 rundll32.exe 392 rundll32.exe 392 rundll32.exe 392 rundll32.exe 392 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
EEBA.tmppid process 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp 2416 EEBA.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeDebugPrivilege 392 rundll32.exe Token: 36 392 rundll32.exe Token: SeImpersonatePrivilege 392 rundll32.exe Token: SeIncBasePriorityPrivilege 392 rundll32.exe Token: SeIncreaseQuotaPrivilege 392 rundll32.exe Token: 33 392 rundll32.exe Token: SeManageVolumePrivilege 392 rundll32.exe Token: SeProfSingleProcessPrivilege 392 rundll32.exe Token: SeRestorePrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSystemProfilePrivilege 392 rundll32.exe Token: SeTakeOwnershipPrivilege 392 rundll32.exe Token: SeShutdownPrivilege 392 rundll32.exe Token: SeDebugPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeBackupPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe Token: SeSecurityPrivilege 392 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exeEEBA.tmpdescription pid process target process PID 1640 wrote to memory of 392 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 392 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 392 1640 rundll32.exe rundll32.exe PID 392 wrote to memory of 2416 392 rundll32.exe EEBA.tmp PID 392 wrote to memory of 2416 392 rundll32.exe EEBA.tmp PID 392 wrote to memory of 2416 392 rundll32.exe EEBA.tmp PID 392 wrote to memory of 2416 392 rundll32.exe EEBA.tmp PID 2416 wrote to memory of 4008 2416 EEBA.tmp cmd.exe PID 2416 wrote to memory of 4008 2416 EEBA.tmp cmd.exe PID 2416 wrote to memory of 4008 2416 EEBA.tmp cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\EEBA.tmp"C:\ProgramData\EEBA.tmp"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EEBA.tmp >> NUL4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\EEBA.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\ProgramData\EEBA.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/392-132-0x0000000000000000-mapping.dmp
-
memory/392-133-0x0000000075140000-0x000000007563E000-memory.dmpFilesize
5.0MB
-
memory/392-134-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/392-135-0x0000000075140000-0x000000007563E000-memory.dmpFilesize
5.0MB
-
memory/392-139-0x0000000075140000-0x000000007563E000-memory.dmpFilesize
5.0MB
-
memory/392-140-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/2416-136-0x0000000000000000-mapping.dmp
-
memory/2416-141-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4008-142-0x0000000000000000-mapping.dmp