7486d7041b3f928b320b0af29cf00db73a07af1e8a0d8f025ba3d1fe9a8f68e6

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-04-2023 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7486d7041b3f928b320b0af29cf00db73a07af1e8a0d8f025ba3d1fe9a8f68e6.dll
Size

2.5MB
MD5

4369117f53081ad0c1162a72f0b11d5b
SHA1

107b1ffcef958ac6c53df4755f7ad3c39d0d6efa
SHA256

7486d7041b3f928b320b0af29cf00db73a07af1e8a0d8f025ba3d1fe9a8f68e6
SHA512

1892c4c5f9c9a92aa6a3ad26fc5aa727a79d557d4265f6c8630c3032cf116a7c2615281b3274a01e6166c122a57efe19840244a1eaa85ee03ee70e741429ab27
SSDEEP

49152:omnCHSmFu9G3htm4e0P0O153nVpkqEo/huE:oMsmihBP0O15DBEuhp

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1992	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1992	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	rundll32.exe
Token: SeDebugPrivilege	1992	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1992	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1992	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27
PID 1980 wrote to memory of 1992	1980	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7486d7041b3f928b320b0af29cf00db73a07af1e8a0d8f025ba3d1fe9a8f68e6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7486d7041b3f928b320b0af29cf00db73a07af1e8a0d8f025ba3d1fe9a8f68e6.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-54-0x0000000010000000-0x0000000010671000-memory.dmp

Filesize
6.4MB

Download
memory/1992-55-0x0000000010000000-0x0000000010671000-memory.dmp

Filesize
6.4MB

Download