Analysis
-
max time kernel
106s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614.dll
-
Size
2.4MB
-
MD5
5fba3cbc31c7b28b763817636f2b1a38
-
SHA1
992ee97e64491206e829ba40377f5a9878008414
-
SHA256
235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614
-
SHA512
752d4aacd5482c38b1385ca0746c88bf857110bd79ec23add069b1520b792b612e1ec94a1914eeddeaed0c3d0e04db3a64744c5d734cf53f4fdf41d40b1580e6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4720 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4696 wrote to memory of 4720 4696 rundll32.exe rundll32.exe PID 4696 wrote to memory of 4720 4696 rundll32.exe rundll32.exe PID 4696 wrote to memory of 4720 4696 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614.dll,#12⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger