Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
03-02-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
jKPeSMhaBb.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
jKPeSMhaBb.dll
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
jKPeSMhaBb.dll
-
Size
9.0MB
-
MD5
71de56304b7c5bf604a2c63c27fee89b
-
SHA1
84b63bc607afa5ed4401a618e896f5a511dbeb20
-
SHA256
7941b73b753797e4926d9df968f5e6b101dc23d7312569ae2af784262f532353
-
SHA512
ee7f465a235ec63163a4ac93e0b120daf7b1e66a11ef0046a87f9d90923760ea47882fc5eda5a1caf8814fc2e0e74cd769c9b88e0de7488701c9b9556edbf406
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1228-55-0x0000000002230000-0x00000000031DE000-memory.dmp themida behavioral1/memory/1228-56-0x0000000002230000-0x00000000031DE000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1392 1228 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1392 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1392 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1228 1312 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1392 1228 rundll32.exe WerFault.exe PID 1228 wrote to memory of 1392 1228 rundll32.exe WerFault.exe PID 1228 wrote to memory of 1392 1228 rundll32.exe WerFault.exe PID 1228 wrote to memory of 1392 1228 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\jKPeSMhaBb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\jKPeSMhaBb.dll,#12⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 3083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1228-55-0x0000000002230000-0x00000000031DE000-memory.dmpFilesize
15.7MB
-
memory/1228-56-0x0000000002230000-0x00000000031DE000-memory.dmpFilesize
15.7MB
-
memory/1392-58-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB