Analysis
-
max time kernel
106s -
max time network
21s -
platform
windows7_x64 -
resource
win7-en-20210916 -
submitted
19-09-2021 11:55
Static task
static1
Behavioral task
behavioral1
Sample
f47bc123831a1855a959fbf51b4138683af7bbbde13ad9f164594d2aa6516791.bin.dll
Resource
win7-en-20210916
windows7_x64
0 signatures
0 seconds
General
-
Target
f47bc123831a1855a959fbf51b4138683af7bbbde13ad9f164594d2aa6516791.bin.dll
-
Size
7.1MB
-
MD5
473b4e622b982a92cba1ba8afcda8273
-
SHA1
9a7a192b67895f63f1afdf5adf7ba2d195a17d80
-
SHA256
f47bc123831a1855a959fbf51b4138683af7bbbde13ad9f164594d2aa6516791
-
SHA512
bd437fa921c6e2c74d8c8aacc94daf2a560f90ad0fde54004902eb55b009bd705aa9e58e27e49e16f32f962302363e7991af59ba212be0f438909dc5be6032b0
Malware Config
Signatures
-
Detect Numando Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/332-55-0x0000000001EE0000-0x00000000027DD000-memory.dmp family_numando behavioral1/memory/332-56-0x0000000001EE1000-0x000000000219C000-memory.dmp family_numando -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/332-55-0x0000000001EE0000-0x00000000027DD000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 800 332 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 800 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 332 1572 rundll32.exe rundll32.exe PID 332 wrote to memory of 800 332 rundll32.exe WerFault.exe PID 332 wrote to memory of 800 332 rundll32.exe WerFault.exe PID 332 wrote to memory of 800 332 rundll32.exe WerFault.exe PID 332 wrote to memory of 800 332 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f47bc123831a1855a959fbf51b4138683af7bbbde13ad9f164594d2aa6516791.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f47bc123831a1855a959fbf51b4138683af7bbbde13ad9f164594d2aa6516791.bin.dll,#12⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 3043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-