Overview
overview
7Static
static
3Roflection.exe
windows11-21h2-x64
7$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3LICENSES.c...m.html
windows11-21h2-x64
3Roflection.exe
windows11-21h2-x64
7d3dcompiler_47.dll
windows11-21h2-x64
1ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows11-21h2-x64
1resources/elevate.exe
windows11-21h2-x64
3swiftshade...GL.dll
windows11-21h2-x64
1swiftshade...v2.dll
windows11-21h2-x64
1vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...ss.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3Uninstall ...on.exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...ss.dll
windows11-21h2-x64
3Analysis
-
max time kernel
143s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/08/2024, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
Roflection.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
Roflection.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
d3dcompiler_47.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
resources/elevate.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
swiftshader/libEGL.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
swiftshader/libGLESv2.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
vk_swiftshader.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
vulkan-1.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
Uninstall Roflection.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win11-20240802-en
windows11-21h2-x64
General
-
Target
Roflection.exe
-
Size
129.8MB
-
MD5
77e73e6ad584def493fda2130eef776e
-
SHA1
a41e44b19945cd8473aec091efb6fd2e177e582d
-
SHA256
d4a2c6052852ee4106cb895a9dfc6caedf3a889a371ce3478e8ff9272bfe358e
-
SHA512
bdecd5fe6dd372284ff62439bfb60f0de161d32ca9430e507466cd6ad9dad1993f50afee3b3e8d7ad886c53f42b20020db7ab652f8f582fd8e5f0fd6f80097db
-
SSDEEP
1572864:7mYWQRWtJ65M7a2iu4Rywh9hJyO9N+oJOTU8f/kmgZ2sI:K4M7a2H4Ryu+dNgI
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4288 Roflection.exe 4288 Roflection.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2692 Roflection.exe 2692 Roflection.exe 2344 Roflection.exe 2344 Roflection.exe 2344 Roflection.exe 2344 Roflection.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2092 WMIC.exe Token: SeSecurityPrivilege 2092 WMIC.exe Token: SeTakeOwnershipPrivilege 2092 WMIC.exe Token: SeLoadDriverPrivilege 2092 WMIC.exe Token: SeSystemProfilePrivilege 2092 WMIC.exe Token: SeSystemtimePrivilege 2092 WMIC.exe Token: SeProfSingleProcessPrivilege 2092 WMIC.exe Token: SeIncBasePriorityPrivilege 2092 WMIC.exe Token: SeCreatePagefilePrivilege 2092 WMIC.exe Token: SeBackupPrivilege 2092 WMIC.exe Token: SeRestorePrivilege 2092 WMIC.exe Token: SeShutdownPrivilege 2092 WMIC.exe Token: SeDebugPrivilege 2092 WMIC.exe Token: SeSystemEnvironmentPrivilege 2092 WMIC.exe Token: SeRemoteShutdownPrivilege 2092 WMIC.exe Token: SeUndockPrivilege 2092 WMIC.exe Token: SeManageVolumePrivilege 2092 WMIC.exe Token: 33 2092 WMIC.exe Token: 34 2092 WMIC.exe Token: 35 2092 WMIC.exe Token: 36 2092 WMIC.exe Token: SeIncreaseQuotaPrivilege 2092 WMIC.exe Token: SeSecurityPrivilege 2092 WMIC.exe Token: SeTakeOwnershipPrivilege 2092 WMIC.exe Token: SeLoadDriverPrivilege 2092 WMIC.exe Token: SeSystemProfilePrivilege 2092 WMIC.exe Token: SeSystemtimePrivilege 2092 WMIC.exe Token: SeProfSingleProcessPrivilege 2092 WMIC.exe Token: SeIncBasePriorityPrivilege 2092 WMIC.exe Token: SeCreatePagefilePrivilege 2092 WMIC.exe Token: SeBackupPrivilege 2092 WMIC.exe Token: SeRestorePrivilege 2092 WMIC.exe Token: SeShutdownPrivilege 2092 WMIC.exe Token: SeDebugPrivilege 2092 WMIC.exe Token: SeSystemEnvironmentPrivilege 2092 WMIC.exe Token: SeRemoteShutdownPrivilege 2092 WMIC.exe Token: SeUndockPrivilege 2092 WMIC.exe Token: SeManageVolumePrivilege 2092 WMIC.exe Token: 33 2092 WMIC.exe Token: 34 2092 WMIC.exe Token: 35 2092 WMIC.exe Token: 36 2092 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4288 wrote to memory of 1084 4288 Roflection.exe 80 PID 4288 wrote to memory of 1084 4288 Roflection.exe 80 PID 1084 wrote to memory of 2092 1084 cmd.exe 82 PID 1084 wrote to memory of 2092 1084 cmd.exe 82 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 4416 4288 Roflection.exe 84 PID 4288 wrote to memory of 2692 4288 Roflection.exe 85 PID 4288 wrote to memory of 2692 4288 Roflection.exe 85 PID 4288 wrote to memory of 2344 4288 Roflection.exe 87 PID 4288 wrote to memory of 2344 4288 Roflection.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roflection.exe"C:\Users\Admin\AppData\Local\Temp\Roflection.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
-
C:\Users\Admin\AppData\Local\Temp\Roflection.exe"C:\Users\Admin\AppData\Local\Temp\Roflection.exe" --type=gpu-process --field-trial-handle=1740,11789198850623393841,15556746955359359900,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1748 /prefetch:22⤵PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\Roflection.exe"C:\Users\Admin\AppData\Local\Temp\Roflection.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,11789198850623393841,15556746955359359900,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\Roflection.exe"C:\Users\Admin\AppData\Local\Temp\Roflection.exe" --type=gpu-process --field-trial-handle=1740,11789198850623393841,15556746955359359900,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2116 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1128
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD504bfbfec8db966420fe4c7b85ebb506a
SHA1939bb742a354a92e1dcd3661a62d69e48030a335
SHA256da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA5124ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61