Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc.dll
-
Size
2.4MB
-
MD5
152cade991b94b41ab0259fcc4e49339
-
SHA1
750372151b2c9b739701916d2f24b7b017e2107e
-
SHA256
a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc
-
SHA512
c250dd3b5e81cd0fda01a4fd3ee9a716a0d6869406a9d9069ac4e5f090f48c5bb8ac88f85c26d66e4e76c34c61d07da36237257622e83b5aed84f74101b3c89d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 444 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2580 wrote to memory of 444 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 444 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 444 2580 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc.dll,#12⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger