908998edac3468f70f7eb6745c3fafdddfbcfd4bbbbc915ce761f36dadb1b82a

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

908998edac3468f70f7eb6745c3fafdddfbcfd4bbbbc915ce761f36dadb1b82a.dll
Size

737KB
MD5

df9941ce87d7e605c877f77374ff1d43
SHA1

d18bdd83fb7b210212ce3815c407a013c5346540
SHA256

908998edac3468f70f7eb6745c3fafdddfbcfd4bbbbc915ce761f36dadb1b82a
SHA512

351027ca9c1a425a5ef0ca24bc0c82ff563c38d469bd6fbd66d7fbc6202b8ea2ab252fb8f59e557ae88ae6f42698da6a779a66216bde22c18e0446b8cf58ecdd
SSDEEP

12288:GrO53mqOowXHaSsTId/rBLPGuBaXry6LT3ddAzJbovfkNaOk+Rp5byL3gFwSV0b7:+yf2H0TIrNuyI7T3JkNaJ+RjGTgzEUXQ

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1228 rundll32.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exe

pid process

1228 rundll32.exe
1228 rundll32.exe
1228 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

1228 rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	rundll32.exe

pid	process
1228	rundll32.exe

pid	process
1228	rundll32.exe
1228	rundll32.exe
1228	rundll32.exe

pid	process
1228	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 1228	1840	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\908998edac3468f70f7eb6745c3fafdddfbcfd4bbbbc915ce761f36dadb1b82a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\908998edac3468f70f7eb6745c3fafdddfbcfd4bbbbc915ce761f36dadb1b82a.dll,#1
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-54-0x0000000000000000-mapping.dmp

Download
memory/1228-55-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1228-56-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-57-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-58-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-59-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-60-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-61-0x0000000077CD0000-0x0000000077E50000-memory.dmp

Filesize
1.5MB

Download
memory/1228-62-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-63-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-64-0x0000000001CD0000-0x0000000001E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-65-0x0000000077CD0000-0x0000000077E50000-memory.dmp

Filesize
1.5MB

Download