Overview
overview
10Static
static
10Build.bat
windows7-x64
1Build.bat
windows10-2004-x64
1Build/LB3.exe
windows7-x64
10Build/LB3.exe
windows10-2004-x64
10Build/LB3D...or.exe
windows7-x64
5Build/LB3D...or.exe
windows10-2004-x64
5Build/LB3_...in.dll
windows7-x64
10Build/LB3_...in.dll
windows10-2004-x64
7Build/LB3_...32.dll
windows7-x64
1Build/LB3_...32.dll
windows10-2004-x64
1Build/LB3_...ss.dll
windows7-x64
10Build/LB3_...ss.dll
windows10-2004-x64
10Build/LB3_pass.exe
windows7-x64
10Build/LB3_pass.exe
windows10-2004-x64
10builder.exe
windows7-x64
1builder.exe
windows10-2004-x64
1keygen.exe
windows7-x64
1keygen.exe
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 20:56
Behavioral task
behavioral1
Sample
Build.bat
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral2
Sample
Build.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Build/LB3.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
Build/LB3.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Build/LB3Decryptor.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Build/LB3Decryptor.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Build/LB3_ReflectiveDll_DllMain.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
Build/LB3_ReflectiveDll_DllMain.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Build/LB3_Rundll32.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
Build/LB3_Rundll32.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Build/LB3_Rundll32_pass.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
Build/LB3_Rundll32_pass.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Build/LB3_pass.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
Build/LB3_pass.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
builder.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
builder.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
keygen.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
keygen.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
Build/LB3_ReflectiveDll_DllMain.dll
-
Size
107KB
-
MD5
660679f8d44100cd240add9862598d66
-
SHA1
afca2fd0af09265e099e8cf5b898ea45f01f288a
-
SHA256
6667b29705a3c882d536589dc9d7193725ecdbc42c8bb0cc60f3c9d6d0240275
-
SHA512
d347ed75a08678af1eb449230f437d6f0fb3da6f98a6f7d36eaf73c7cd1399ec9712b940b370a92fa9b8d6a2ece5c607e86ecbfa12cc6cda3df85d66475091dd
-
SSDEEP
3072:n9bfmBYtGb2kZlBmLmmnFPNeSDkDqS4AJ:n9ptGakZlsLXFISDzAJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 7985.tmp -
Deletes itself 1 IoCs
pid Process 3104 7985.tmp -
Executes dropped EXE 1 IoCs
pid Process 3104 7985.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 3104 7985.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06\ = "HHuYRxB06" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon\ = "C:\\ProgramData\\HHuYRxB06.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp 3104 7985.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeDebugPrivilege 1648 rundll32.exe Token: 36 1648 rundll32.exe Token: SeImpersonatePrivilege 1648 rundll32.exe Token: SeIncBasePriorityPrivilege 1648 rundll32.exe Token: SeIncreaseQuotaPrivilege 1648 rundll32.exe Token: 33 1648 rundll32.exe Token: SeManageVolumePrivilege 1648 rundll32.exe Token: SeProfSingleProcessPrivilege 1648 rundll32.exe Token: SeRestorePrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSystemProfilePrivilege 1648 rundll32.exe Token: SeTakeOwnershipPrivilege 1648 rundll32.exe Token: SeShutdownPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeDebugPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeDebugPrivilege 1648 rundll32.exe Token: 36 1648 rundll32.exe Token: SeImpersonatePrivilege 1648 rundll32.exe Token: SeIncBasePriorityPrivilege 1648 rundll32.exe Token: SeIncreaseQuotaPrivilege 1648 rundll32.exe Token: 33 1648 rundll32.exe Token: SeManageVolumePrivilege 1648 rundll32.exe Token: SeProfSingleProcessPrivilege 1648 rundll32.exe Token: SeRestorePrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSystemProfilePrivilege 1648 rundll32.exe Token: SeTakeOwnershipPrivilege 1648 rundll32.exe Token: SeShutdownPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeSecurityPrivilege 1648 rundll32.exe Token: SeBackupPrivilege 1648 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 396 wrote to memory of 1648 396 rundll32.exe 87 PID 396 wrote to memory of 1648 396 rundll32.exe 87 PID 396 wrote to memory of 1648 396 rundll32.exe 87 PID 1648 wrote to memory of 3104 1648 rundll32.exe 91 PID 1648 wrote to memory of 3104 1648 rundll32.exe 91 PID 1648 wrote to memory of 3104 1648 rundll32.exe 91 PID 1648 wrote to memory of 3104 1648 rundll32.exe 91 PID 3104 wrote to memory of 3760 3104 7985.tmp 93 PID 3104 wrote to memory of 3760 3104 7985.tmp 93 PID 3104 wrote to memory of 3760 3104 7985.tmp 93
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\ProgramData\7985.tmp"C:\ProgramData\7985.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7985.tmp >> NUL4⤵PID:3760
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
107KB
MD52dd7cac5d0c0364d0eab69c01083da10
SHA1e60055f453954aa52ff9b34f2be188be07c74f5f
SHA2564a3d8be1cd5708882c95ea2b245880bbe371c02dcd300153ac880333ef4d8779
SHA512b4cabe136283ccdd71083106333698a9b20f3b6de3664136fb8368e5f17ef9dd87ba322db4c574cef7d1b6a597b937c37f964f99ab32ab2274017a185ade8faa