b094665ec4cdca6d8e9b9f63d8d71b1b9263eda12f1fdd1d8aa820dbf4c231f6

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build/LB3_ReflectiveDll_DllMain.dll
Size

107KB
MD5

660679f8d44100cd240add9862598d66
SHA1

afca2fd0af09265e099e8cf5b898ea45f01f288a
SHA256

6667b29705a3c882d536589dc9d7193725ecdbc42c8bb0cc60f3c9d6d0240275
SHA512

d347ed75a08678af1eb449230f437d6f0fb3da6f98a6f7d36eaf73c7cd1399ec9712b940b370a92fa9b8d6a2ece5c607e86ecbfa12cc6cda3df85d66475091dd
SSDEEP

3072:n9bfmBYtGb2kZlBmLmmnFPNeSDkDqS4AJ:n9ptGakZlsLXFISDzAJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	20A2.tmp

Deletes itself 1 IoCs

pid	Process
2172	20A2.tmp

Executes dropped EXE 1 IoCs

pid	Process
2172	20A2.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2172	20A2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06\ = "HHuYRxB06"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon\ = "C:\\ProgramData\\HHuYRxB06.ico"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp
2172	20A2.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeDebugPrivilege	2432	rundll32.exe
Token: 36	2432	rundll32.exe
Token: SeImpersonatePrivilege	2432	rundll32.exe
Token: SeIncBasePriorityPrivilege	2432	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2432	rundll32.exe
Token: 33	2432	rundll32.exe
Token: SeManageVolumePrivilege	2432	rundll32.exe
Token: SeProfSingleProcessPrivilege	2432	rundll32.exe
Token: SeRestorePrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSystemProfilePrivilege	2432	rundll32.exe
Token: SeTakeOwnershipPrivilege	2432	rundll32.exe
Token: SeShutdownPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeDebugPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeDebugPrivilege	2432	rundll32.exe
Token: 36	2432	rundll32.exe
Token: SeImpersonatePrivilege	2432	rundll32.exe
Token: SeIncBasePriorityPrivilege	2432	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2432	rundll32.exe
Token: 33	2432	rundll32.exe
Token: SeManageVolumePrivilege	2432	rundll32.exe
Token: SeProfSingleProcessPrivilege	2432	rundll32.exe
Token: SeRestorePrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSystemProfilePrivilege	2432	rundll32.exe
Token: SeTakeOwnershipPrivilege	2432	rundll32.exe
Token: SeShutdownPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeSecurityPrivilege	2432	rundll32.exe
Token: SeBackupPrivilege	2432	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2432	2916	rundll32.exe	94
PID 2916 wrote to memory of 2432	2916	rundll32.exe	94
PID 2916 wrote to memory of 2432	2916	rundll32.exe	94
PID 2432 wrote to memory of 2172	2432	rundll32.exe	101
PID 2432 wrote to memory of 2172	2432	rundll32.exe	101
PID 2432 wrote to memory of 2172	2432	rundll32.exe	101
PID 2432 wrote to memory of 2172	2432	rundll32.exe	101
PID 2172 wrote to memory of 1624	2172	20A2.tmp	102
PID 2172 wrote to memory of 1624	2172	20A2.tmp	102
PID 2172 wrote to memory of 1624	2172	20A2.tmp	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\ProgramData\20A2.tmp
    "C:\ProgramData\20A2.tmp"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\20A2.tmp >> NUL
      4⤵
      PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\20A2.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
107KB

MD5
edb474a8f8a46691fe97744bd68c0045

SHA1
00995c87f809758b798dabb4f0fc06a5056e0d4a

SHA256
0c1a58df15754f4aa08de3034e4c5a5b548a35b1c46548bf2afa2d2ac37f56f9

SHA512
a1bdcd47ec32e7bd34ce66ab1580ec7618c98ecf229c3270cce159f11b9a5cf6acb799c41036501484c80f399f8b64edbd76c0fd2c38079212e972830d37c671

Download Submit
memory/2172-14-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2172-12-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2172-13-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2172-15-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2172-16-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2172-45-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/2172-46-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/2432-4-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2432-5-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2432-6-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2432-2-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

Filesize
64KB

Download
memory/2432-0-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

Filesize
64KB

Download
memory/2432-1-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

Filesize
64KB

Download