48f664496412e4da22a0d539aca9fe98737a194103d55ff58ea15dae95935d90

Analysis

max time kernel
44s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-05-2022 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9339fe09ff7f8cc9c853d6d6a5171858.dll
Size

2.6MB
MD5

9339fe09ff7f8cc9c853d6d6a5171858
SHA1

b5ddc9a0b1e7d639a0d71c6627337995b3a02ed6
SHA256

48f664496412e4da22a0d539aca9fe98737a194103d55ff58ea15dae95935d90
SHA512

b75c9d33b22403526e12642ecba9b9fa07afd4101865398e4956ff18e200c18528724a9d26c27182c829c62e87e513496fcbafa9a55b9dc1729ca74ba1f276f0

Score

9^/10

evasion

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Wine	rundll32.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

rundll32.exe

pid	process
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9339fe09ff7f8cc9c853d6d6a5171858.dll,#1
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1356

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads