b90f9ebce152e832b91b364452c60a00df419d0e66c3618a96100e290353fe84

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:40

Target

b90f9ebce152e832b91b364452c60a00df419d0e66c3618a96100e290353fe84.dll
Size

710KB
MD5

27923f561e76f5af8f2bce21d4dfb5f7
SHA1

19a68e08afed37b163da92ed69b81611f3851411
SHA256

b90f9ebce152e832b91b364452c60a00df419d0e66c3618a96100e290353fe84
SHA512

3a634f7d51a13522d1965b9c1e82ac2745a582542f1445b296144dffccb098e500e3ddc496b01e8dad04a519d750d3a794e351091157fc66db10c684b7c99452
SSDEEP

12288:p991PUkAy3LIBcOMX+zeif2OtmqZJzeDby/8rkxEGTYjas2D2wgif84tAzIQ5hMo:vHUgIBXTe42fwzsbT4xDYqfWz5h

Score

9^/10

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4992 wrote to memory of 3036	4992	rundll32.exe	rundll32.exe
PID 4992 wrote to memory of 3036	4992	rundll32.exe	rundll32.exe
PID 4992 wrote to memory of 3036	4992	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b90f9ebce152e832b91b364452c60a00df419d0e66c3618a96100e290353fe84.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b90f9ebce152e832b91b364452c60a00df419d0e66c3618a96100e290353fe84.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  PID:3036

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/3036-132-0x0000000000000000-mapping.dmp

Download
memory/3036-133-0x0000000074AC0000-0x0000000074C5A000-memory.dmp

Filesize
1.6MB

Download
memory/3036-134-0x00000000007D0000-0x000000000086D000-memory.dmp

Filesize
628KB

Download
memory/3036-135-0x0000000074AC0000-0x0000000074C5A000-memory.dmp

Filesize
1.6MB

Download