2fcd12ee140c2c184bc880289c8a4e834cad3e257373205914fc4484403daf23

Analysis

max time kernel
247s
max time network
268s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcd12ee140c2c184bc880289c8a4e834cad3e257373205914fc4484403daf23.dll
Size

610KB
MD5

f017f44b553534061d84bcef15136ad9
SHA1

8218a344d415dbb60726aaff74c67725c2a52e1d
SHA256

2fcd12ee140c2c184bc880289c8a4e834cad3e257373205914fc4484403daf23
SHA512

4680ef5f1349d6e9e62f14f1a2b4be8eb6c137ea3dfa278010f652e1048f660ccea28aa5ab91942ebd139bfe6a56452daaca9c277b0bc7fa4ad2958762122a34
SSDEEP

12288:SLN5qtaWduZwenppwELdidcGJbt/YQjgYVFDLavBo8BJZzsMfEsZ9xbuUjdpLXoL:SffkynpzcdceOQjgY/DLaJo81sMfEsZo

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5020	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2404	5020	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	rundll32.exe
5020	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 5020	4196	rundll32.exe	80
PID 4196 wrote to memory of 5020	4196	rundll32.exe	80
PID 4196 wrote to memory of 5020	4196	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fcd12ee140c2c184bc880289c8a4e834cad3e257373205914fc4484403daf23.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fcd12ee140c2c184bc880289c8a4e834cad3e257373205914fc4484403daf23.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 788
    3⤵
    - Program crash
    PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5020 -ip 5020
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5020-133-0x0000000075550000-0x00000000756B0000-memory.dmp

Filesize
1.4MB

Download
memory/5020-134-0x0000000002690000-0x000000000272D000-memory.dmp

Filesize
628KB

Download
memory/5020-135-0x0000000075550000-0x00000000756B0000-memory.dmp

Filesize
1.4MB

Download
memory/5020-136-0x0000000077BD0000-0x0000000077D73000-memory.dmp

Filesize
1.6MB

Download
memory/5020-137-0x0000000077BD0000-0x0000000077D73000-memory.dmp

Filesize
1.6MB

Download