Analysis
-
max time kernel
13s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 20:10
Static task
static1
Behavioral task
behavioral1
Sample
dllhost.exe
Resource
win7v20201028
General
-
Target
dllhost.exe
-
Size
1.8MB
-
MD5
51710e06bbd844ae2b0494e5c142dcbe
-
SHA1
68d8378d23edc21b09be4d56e443a4204c749b6a
-
SHA256
dc1649633cb90b8456c19c1b53675ad07d0bf2774d33b8c8f650f1e65489d6fc
-
SHA512
eac92e729da84e54c5f010f5cbf87d280a901745e19608187563229c0b0222c2b23c6571ee9843a7664cb7b245d66e961fb3f540ba0c4ddb0eb58e05b614c50c
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dllhost.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine dllhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" dllhost.exe -
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dllhost.exepid process 648 dllhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe dllhost.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe dllhost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
dllhost.exepid process 648 dllhost.exe 648 dllhost.exe 648 dllhost.exe 648 dllhost.exe 648 dllhost.exe 648 dllhost.exe 648 dllhost.exe 648 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 648 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 648 dllhost.exe Token: SeDebugPrivilege 648 dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dllhost.exedescription pid process target process PID 648 wrote to memory of 204 648 dllhost.exe schtasks.exe PID 648 wrote to memory of 204 648 dllhost.exe schtasks.exe PID 648 wrote to memory of 204 648 dllhost.exe schtasks.exe PID 648 wrote to memory of 2008 648 dllhost.exe schtasks.exe PID 648 wrote to memory of 2008 648 dllhost.exe schtasks.exe PID 648 wrote to memory of 2008 648 dllhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B83.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5CEC.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5B83.tmpMD5
ee10d5ce3e711f0e871cea6684896e1c
SHA162665575bb01b06827ab3d21d101bc61be54a91e
SHA2567ff4af41079f53c1c4acf8002328345f8314074f9ebee0bb0511169fffbad2b7
SHA51225f2972dea0468b9882b4d4166347b69cbb9f5a26d959ccacfedbc07800ab3db4e3aa044668d535d47852c6f3016f1a2e7e3e2c4475410aae8dfe64982ea62ce
-
C:\Users\Admin\AppData\Local\Temp\tmp5CEC.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/204-6-0x0000000000000000-mapping.dmp
-
memory/648-3-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/648-2-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/648-5-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/648-4-0x0000000076FC4000-0x0000000076FC5000-memory.dmpFilesize
4KB
-
memory/2008-8-0x0000000000000000-mapping.dmp