Analysis
-
max time kernel
36s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
15-07-2022 11:03
Behavioral task
behavioral1
Sample
otkepwxaym.dll
Resource
win7-20220414-en
windows7-x64
8 signatures
150 seconds
General
-
Target
otkepwxaym.dll
-
Size
9.3MB
-
MD5
c7f0ee90d71cd00a7709f409a4bb027d
-
SHA1
bdb0a4f52cf7b270befc926f28f606e4df6d6225
-
SHA256
e7db2ba32e4620a34b83de0bc5a728b8e3934f8d3e659785f48888a3930a3412
-
SHA512
2d84cbee27f8c6a1c8630a232a7eef9ff1bcce15e30b02cd37321528e87a5897c42d38c17a9cc84580e995fd2262bada588d3286c4eda6e3f84919fddb0f644d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2044-56-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-57-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-59-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-60-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-61-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-62-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-63-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-64-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-65-0x0000000001E10000-0x0000000003677000-memory.dmp themida behavioral1/memory/2044-66-0x0000000001E10000-0x0000000003677000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2044 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 984 2044 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 2044 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 2044 1000 rundll32.exe rundll32.exe PID 2044 wrote to memory of 984 2044 rundll32.exe WerFault.exe PID 2044 wrote to memory of 984 2044 rundll32.exe WerFault.exe PID 2044 wrote to memory of 984 2044 rundll32.exe WerFault.exe PID 2044 wrote to memory of 984 2044 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\otkepwxaym.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\otkepwxaym.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 3363⤵
- Program crash
PID:984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/984-67-0x0000000000000000-mapping.dmp
-
memory/2044-60-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-56-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-57-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-58-0x0000000077D00000-0x0000000077E80000-memory.dmpFilesize
1.5MB
-
memory/2044-59-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-54-0x0000000000000000-mapping.dmp
-
memory/2044-61-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-62-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-63-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-64-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-65-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-66-0x0000000001E10000-0x0000000003677000-memory.dmpFilesize
24.4MB
-
memory/2044-55-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB