Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 18:14
Behavioral task
behavioral1
Sample
BIHBXRSIVW.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
BIHBXRSIVW.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
YPRII8GSNC37Q6VEFsss.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
YPRII8GSNC37Q6VEFsss.exe
Resource
win10v2004-20230220-en
General
-
Target
BIHBXRSIVW.dll
-
Size
14.5MB
-
MD5
9c10a526a73893354ffda1070e3c438f
-
SHA1
ce854ebd481c03df98625619bcc258614fc19515
-
SHA256
9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c
-
SHA512
56f8cdfb10cbe024842390b7878e6cc83f4c644942d3785711310583c25499111e6427e1cb6954b17edf6db1ca9275d1e823ac5b32decfd62bddc13f1d624466
-
SSDEEP
393216:y1+g8B3BQ6lV7Vb3LBgTovVLRAsDEI3mtPuQTC35BeI:y1Vs3BQmBFiMVLRAsYI3OGx
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2076 rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/2076-133-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-134-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-135-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-136-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-137-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-138-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-139-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-141-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-140-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-142-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-143-0x0000000002BE0000-0x0000000005139000-memory.dmp themida behavioral2/memory/2076-168-0x0000000002BE0000-0x0000000005139000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2076 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4316 2076 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2076 rundll32.exe 2076 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1320 wrote to memory of 2076 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 2076 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 2076 1320 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BIHBXRSIVW.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BIHBXRSIVW.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 7723⤵
- Program crash
PID:4316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2076 -ip 20761⤵PID:2660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d8f4ab8284f0fda871d6834e24bc6f37
SHA1641948e44a1dcfd0ef68910768eb4b1ea6b49d10
SHA256c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912
SHA512f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0