Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2023 13:32
Behavioral task
behavioral1
Sample
NA_11cbb0233aff83d54e0d9189d_JC.dll
Resource
win7-20230712-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
NA_11cbb0233aff83d54e0d9189d_JC.dll
Resource
win10v2004-20230703-en
3 signatures
150 seconds
General
-
Target
NA_11cbb0233aff83d54e0d9189d_JC.dll
-
Size
38KB
-
MD5
9cd94c8ac5c05061bcd4edb8c1e7f8f4
-
SHA1
d722c153c9ea0b627b09346f1e9e6deec4c3cbe0
-
SHA256
11cbb0233aff83d54e0d9189d3a08d02a6bbb0ffa5c3b161df462780e0ee2d2d
-
SHA512
9eea5545db4bd2c4f898f3ca733af839e710754a417615a926df95279db6b3803c230f0f083e5ac4248c4ed8e67e47f4c7fb5a08c5c042da5ecc2c291a363084
-
SSDEEP
768:gGiEEBGU4Ly9RWFaoF4Vcps8etdvAgV1N:JiLBWLAWFad8eT4u1N
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
regsvr32.exeregsvr32.execmd.exedescription pid process target process PID 856 wrote to memory of 4484 856 regsvr32.exe regsvr32.exe PID 856 wrote to memory of 4484 856 regsvr32.exe regsvr32.exe PID 856 wrote to memory of 4484 856 regsvr32.exe regsvr32.exe PID 4484 wrote to memory of 3036 4484 regsvr32.exe cmd.exe PID 4484 wrote to memory of 3036 4484 regsvr32.exe cmd.exe PID 4484 wrote to memory of 3036 4484 regsvr32.exe cmd.exe PID 3036 wrote to memory of 5048 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 5048 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 5048 3036 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\NA_11cbb0233aff83d54e0d9189d_JC.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\NA_11cbb0233aff83d54e0d9189d_JC.dll2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "ping localhost && copy /b /y %SystemRoot%\System32\ActivationManager.dll %appdata%\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe