Overview

overview

9

Static

static

7

boulder.dll

windows7-x64

9

boulder.dll

windows10-2004-x64

9

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    boulder.dll

  • Size

    9.8MB

  • MD5

    5da411ab2fa2543cfa19f5efdfb28f9b

  • SHA1

    220d4a6c59fcac9d036d530ec737576e7259a5d0

  • SHA256

    23cf42f273679addee762966ea00d7738a2ba27380087c59b7fc646f03a6f4db

  • SHA512

    84f9a08ff31355bac32313ee865cc795854390d95d8950a77de050d7c3a2057d1d405cd1aec2a9233e6902a7c3b1b6cf284ad1a80ba9f56e2221d25f17f48e69

  • SSDEEP

    196608:sSokuRK5a6hrR/ENcdd0dLD/OCm7rc5cmgThB+97Yc/0nNB6RNbs:gZkrJEeQvV35VEhzYQwY

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\boulder.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\boulder.dll,#1
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1132
        3⤵
        • Program crash
        PID:2596
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1928 -ip 1928
    1⤵
      PID:2716

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1928-133-0x0000000077730000-0x00000000778D3000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1928-134-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-135-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-136-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-137-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-138-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-139-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-140-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-141-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-142-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-143-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-144-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-145-0x00000000028C0000-0x000000000425B000-memory.dmp

      Filesize

      25.6MB

      Download

    • memory/1928-146-0x0000000077730000-0x00000000778D3000-memory.dmp

      Filesize

      1.6MB

      Download