Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:41
Static task
static1
Behavioral task
behavioral1
Sample
dd83ffe71b9b88ee667f0de89ee47d7fda7d5e26ddf1a0e021b9cafb9ae472dc.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
dd83ffe71b9b88ee667f0de89ee47d7fda7d5e26ddf1a0e021b9cafb9ae472dc.dll
Resource
win10v2004-20220812-en
General
-
Target
dd83ffe71b9b88ee667f0de89ee47d7fda7d5e26ddf1a0e021b9cafb9ae472dc.dll
-
Size
1.9MB
-
MD5
f26076d7ac1fef70ea6667a5cf62d7af
-
SHA1
6764620fd2c48b70734b0114d7d638489c6c9e13
-
SHA256
dd83ffe71b9b88ee667f0de89ee47d7fda7d5e26ddf1a0e021b9cafb9ae472dc
-
SHA512
094b3545837ad3b0d7342362dafe5dea15b354081cd96c7ab893c3b0254489f0fb22cbdbdf05f10430067768f5b3b6fafa76b2e14cdec9d7c6ec31bf3fb90fc0
-
SSDEEP
49152:+maHknTlV73iP54hnX6yVXebpMZoeOneWcsHwi:wY3PhX66ub1VhHb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1744 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1744 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1744 1104 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd83ffe71b9b88ee667f0de89ee47d7fda7d5e26ddf1a0e021b9cafb9ae472dc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd83ffe71b9b88ee667f0de89ee47d7fda7d5e26ddf1a0e021b9cafb9ae472dc.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1744-54-0x0000000000000000-mapping.dmp
-
memory/1744-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/1744-56-0x0000000001EA0000-0x00000000024B4000-memory.dmpFilesize
6.1MB
-
memory/1744-57-0x0000000001EA0000-0x00000000024B4000-memory.dmpFilesize
6.1MB
-
memory/1744-58-0x0000000001EA0000-0x00000000024B4000-memory.dmpFilesize
6.1MB
-
memory/1744-59-0x0000000001EA0000-0x00000000024B4000-memory.dmpFilesize
6.1MB
-
memory/1744-60-0x0000000077710000-0x0000000077890000-memory.dmpFilesize
1.5MB
-
memory/1744-61-0x0000000077710000-0x0000000077890000-memory.dmpFilesize
1.5MB