Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2023 12:49
Behavioral task
behavioral1
Sample
e66dec71ef0ffbb33127f41b8ab1fe3e.dll
Resource
win7-20230621-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e66dec71ef0ffbb33127f41b8ab1fe3e.dll
-
Size
1.5MB
-
MD5
e66dec71ef0ffbb33127f41b8ab1fe3e
-
SHA1
719e12ef09b6e3ab747421946a57739a649cf483
-
SHA256
240ff64b312acf203a1498a58801bf79ad99617e7dbf961c6a289531d1b7b39b
-
SHA512
1ba9a2f4bc6552339078762acd52b59d2ed3798d49b6b5bf0615f3caa6a315103f3166e8941b94f6d5a01e06dfdd38363e1e6d1091fe046e1697589e57a79959
-
SSDEEP
24576:7UA0Aa/NF9BpvbxxQO/Wh5ChSNF3PWjdCXpKO7Yq8EMHOS8NdOBG7QTOTzgZrkQ3:10xlbBpvHb/Wh5Xv3OjdKKOj8ErRNdu1
Malware Config
Extracted
Family
systembc
C2
5.42.65.67:4298
localhost.exchange:4298
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 16 5068 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/5068-133-0x00007FF8163A0000-0x00007FF8168D2000-memory.dmp themida behavioral2/memory/5068-134-0x00007FF8163A0000-0x00007FF8168D2000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 5068 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e66dec71ef0ffbb33127f41b8ab1fe3e.dll,#11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger