f60d5a71a2580ea82e24aeffa140e6b235c3bca02d6d04f5e1296713c43e1d5e

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f60d5a71a2580ea82e24aeffa140e6b235c3bca02d6d04f5e1296713c43e1d5e.dll
Size

644KB
MD5

22eda2d564bb3a91ec57fdc66a67c2b2
SHA1

521fd12b797365357bea5b498773f83f21ef5701
SHA256

f60d5a71a2580ea82e24aeffa140e6b235c3bca02d6d04f5e1296713c43e1d5e
SHA512

42363101fb925248b950c6b2e30aad761f7e640b750fb4bac43d86a45fa98728043c668e21fa3ab8ecb196eddb0218f8b0402c91cac529f6cad3372f95d11368
SSDEEP

6144:Pee4VlHZvnlQ3KSYDQJkNmyC2hT8GEtl6kNXQoOglQPokKTUHoqI5a4wFQ:G15tQZYDjmF2hT8GE5XQoOvjAY

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4804	5004	WerFault.exe	82

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\ProgID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\ProgID\ = "DAO.Relation.36"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\InprocServer32\Class = "dao.RelationClass"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\InprocServer32\RuntimeVersion = "v1.0.3705"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\ = "DAO.Relation.36"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5749F410-CFB5-B3EE-4F33-CB8F4F0FEFC4}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5004	rundll32.exe
Token: SeIncBasePriorityPrivilege	5004	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 5004	4972	rundll32.exe	82
PID 4972 wrote to memory of 5004	4972	rundll32.exe	82
PID 4972 wrote to memory of 5004	4972	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f60d5a71a2580ea82e24aeffa140e6b235c3bca02d6d04f5e1296713c43e1d5e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f60d5a71a2580ea82e24aeffa140e6b235c3bca02d6d04f5e1296713c43e1d5e.dll,#1
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 856
    3⤵
    - Program crash
    PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5004 -ip 5004
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5004-133-0x0000000002D50000-0x0000000002E21000-memory.dmp

Filesize
836KB

Download
memory/5004-134-0x0000000002F30000-0x0000000002F8A000-memory.dmp

Filesize
360KB

Download
memory/5004-139-0x0000000002D50000-0x0000000002E21000-memory.dmp

Filesize
836KB

Download
memory/5004-140-0x0000000002D51000-0x0000000002D59000-memory.dmp

Filesize
32KB

Download
memory/5004-141-0x0000000002D50000-0x0000000002E21000-memory.dmp

Filesize
836KB

Download
memory/5004-142-0x0000000002D50000-0x0000000002E21000-memory.dmp

Filesize
836KB

Download