Analysis
-
max time kernel
73s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f.dll
-
Size
2.4MB
-
MD5
cd9f18209f2d8ef60e8199662b2ea120
-
SHA1
bbf36d27902a379ae5e204babde0cb330934a6cc
-
SHA256
cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f
-
SHA512
621d3d82f04aebb6cf4ffc7e012ddfc05c1bd677eb3b018a8b37bec6812762d2b6617bcb7c9af4fe235a43219b1b20aeb84e677cd3899840c4a24ce548b70586
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2912 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1988 wrote to memory of 2912 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2912 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2912 1988 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f.dll,#12⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger