Analysis

  • max time kernel
    100s
  • max time network
    139s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20-12-2024 00:56

General

  • Target

    LBB_ReflectiveDll_DllMain.dll

  • Size

    113KB

  • MD5

    ab5bdca69285d4838af12117c910bfde

  • SHA1

    208060cf988f1702124504bae0c6a4addbeb6db3

  • SHA256

    5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd

  • SHA512

    33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547

  • SSDEEP

    3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\LBB_ReflectiveDll_DllMain.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\LBB_ReflectiveDll_DllMain.dll,#1
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\ProgramData\855C.tmp
        "C:\ProgramData\855C.tmp"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\855C.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\855C.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    Filesize

    113KB

    MD5

    daf778578e5163df1a368946dcbe3034

    SHA1

    0bb4df363f99db8f9932e4e8eab97d705e9931e4

    SHA256

    b6773f159083341745d49ab85890b1c60bd093268b7206cbfaa04a716978aca9

    SHA512

    692b45f8d0c5ea00dc71b44220a46e48ab965acd20c12579a52174ed0c1758d2baaeea3c7408b06f7ea9b33c46a39f4ff646dc37be7dd86a917be1c7e0db97a8

  • memory/2388-14-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

  • memory/2388-11-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

  • memory/2388-12-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

  • memory/2388-15-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

  • memory/2388-13-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

  • memory/2388-44-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

  • memory/2388-45-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

  • memory/4536-4-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB

  • memory/4536-5-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB

  • memory/4536-0-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB

  • memory/4536-2-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB

  • memory/4536-1-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB