Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2023 21:59

General

  • Target

    443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll

  • Size

    18KB

  • MD5

    8bc27fd9c49426a50ebc2d55e84a2ab6

  • SHA1

    15c5ff436d2f663ff90f6e194c6b397be35952e9

  • SHA256

    443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd

  • SHA512

    6bf54dd10d675f97570789231764b38e3b641669e4f55b47074715ff7a7e5cdb47fe8282438f01e153a293278dec994ea3651e9c7681f0654dfcfba09875f34e

  • SSDEEP

    192:Y7z0+lD+GrfDtmiQe9XzDQOrueD2ra7oSCEPhQs8WOQUbS3TwaARqRCfaU5MW:vmjDs2dBHqra7oSjMvIwveCfaU5v

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll, DllRegisterServer
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll, DllRegisterServer
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /F /TN "{8B30B3CD-2068-4F75-AB1F-FCAE6AF928B6}" /TR " cmd /q /c start /min \"\" powershell \"$nonresistantOutlivesDictatorial = Get-ItemProperty -Path HKCU:\Software\nonresistantOutlivesDictatorial; powershell -encodedcommand $nonresistantOutlivesDictatorial.AphroniaHaimavati \"" /SC MINUTE /MO 13
        3⤵
        • Creates scheduled task(s)
        PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C "ping localhost && DEL /F /S /Q /A C:\Users\Admin\AppData\Local\Temp\443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost
          4⤵
          • Runs ping.exe
          PID:8

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads