Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 12:20
Static task
static1
Behavioral task
behavioral1
Sample
63ba59b6c377f04840f8234f341a028ec170a952535136e69577beec9357f3e8.dll
Resource
win7-20220414-en
General
-
Target
63ba59b6c377f04840f8234f341a028ec170a952535136e69577beec9357f3e8.dll
-
Size
9.0MB
-
MD5
a4dd634510df494b08635fecbe77b116
-
SHA1
9b8a645b75574d45c0de24a3d5fcca20c081a91d
-
SHA256
63ba59b6c377f04840f8234f341a028ec170a952535136e69577beec9357f3e8
-
SHA512
446a8378121df58606aed8e7a4a4994fcb08761f76170b429bae1a0b96eb54dd38be66f12ac22e9a5d829c0ef6d463fe1d53b1b5c90f6c298d731bc809da22a8
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/308-57-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-58-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-60-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-62-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-63-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-64-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-65-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-66-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-67-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida behavioral1/memory/308-68-0x00000000706A0000-0x0000000071FFE000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 308 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 308 1308 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63ba59b6c377f04840f8234f341a028ec170a952535136e69577beec9357f3e8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63ba59b6c377f04840f8234f341a028ec170a952535136e69577beec9357f3e8.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/308-54-0x0000000000000000-mapping.dmp
-
memory/308-55-0x0000000075261000-0x0000000075263000-memory.dmpFilesize
8KB
-
memory/308-56-0x0000000072000000-0x000000007395E000-memory.dmpFilesize
25.4MB
-
memory/308-57-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-59-0x0000000072000000-0x000000007395E000-memory.dmpFilesize
25.4MB
-
memory/308-58-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-60-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-61-0x0000000077550000-0x00000000776D0000-memory.dmpFilesize
1.5MB
-
memory/308-62-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-63-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-64-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-65-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-66-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-67-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-68-0x00000000706A0000-0x0000000071FFE000-memory.dmpFilesize
25.4MB
-
memory/308-69-0x0000000077550000-0x00000000776D0000-memory.dmpFilesize
1.5MB