Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47.dll
-
Size
2.4MB
-
MD5
e1aa32400b398acc3f13500e2913266a
-
SHA1
f31d5f086ff20a6dcd0bdb6bae572cae647b8034
-
SHA256
07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47
-
SHA512
9d241236e953e80259ad4600d7a69ecc1c18deb89e0ac27e368eed73e75182b5fdb10aaacb9922a8db2021935a5e111e8676db1efc9cbb8a1b1d118556f21919
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1724 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1724 1336 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47.dll,#12⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-54-0x0000000000000000-mapping.dmp
-
memory/1724-55-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1724-56-0x0000000010001000-0x0000000010005000-memory.dmpFilesize
16KB
-
memory/1724-57-0x0000000076F30000-0x00000000770B0000-memory.dmpFilesize
1.5MB