Analysis
-
max time kernel
119s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-01-2021 20:10
Static task
static1
Behavioral task
behavioral1
Sample
dllhost.exe
Resource
win7v20201028
General
-
Target
dllhost.exe
-
Size
1.8MB
-
MD5
51710e06bbd844ae2b0494e5c142dcbe
-
SHA1
68d8378d23edc21b09be4d56e443a4204c749b6a
-
SHA256
dc1649633cb90b8456c19c1b53675ad07d0bf2774d33b8c8f650f1e65489d6fc
-
SHA512
eac92e729da84e54c5f010f5cbf87d280a901745e19608187563229c0b0222c2b23c6571ee9843a7664cb7b245d66e961fb3f540ba0c4ddb0eb58e05b614c50c
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dllhost.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine dllhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" dllhost.exe -
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dllhost.exepid process 1152 dllhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe dllhost.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe dllhost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
dllhost.exepid process 1152 dllhost.exe 1152 dllhost.exe 1152 dllhost.exe 1152 dllhost.exe 1152 dllhost.exe 1152 dllhost.exe 1152 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 1152 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 1152 dllhost.exe Token: SeDebugPrivilege 1152 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dllhost.exedescription pid process target process PID 1152 wrote to memory of 748 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 748 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 748 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 748 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 672 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 672 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 672 1152 dllhost.exe schtasks.exe PID 1152 wrote to memory of 672 1152 dllhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD98.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEF0.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD98.tmpMD5
ee10d5ce3e711f0e871cea6684896e1c
SHA162665575bb01b06827ab3d21d101bc61be54a91e
SHA2567ff4af41079f53c1c4acf8002328345f8314074f9ebee0bb0511169fffbad2b7
SHA51225f2972dea0468b9882b4d4166347b69cbb9f5a26d959ccacfedbc07800ab3db4e3aa044668d535d47852c6f3016f1a2e7e3e2c4475410aae8dfe64982ea62ce
-
C:\Users\Admin\AppData\Local\Temp\tmpEF0.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/672-8-0x0000000000000000-mapping.dmp
-
memory/748-5-0x0000000000000000-mapping.dmp
-
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1152-4-0x00000000045D0000-0x00000000045E1000-memory.dmpFilesize
68KB
-
memory/1152-3-0x00000000041C0000-0x00000000041D1000-memory.dmpFilesize
68KB
-
memory/1152-6-0x00000000045B0000-0x00000000045B1000-memory.dmpFilesize
4KB