4ad3d6788079f54e92ba7f36e69524b85904ee21e42c89eed0b2bd4fb64f338f

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arphadump.dll
Size

10.4MB
MD5

057381c48055743f1826fd6ec098b464
SHA1

9c09a534c22863a73f0544ca6039fdf80e6ddfb8
SHA256

ecb680f6088157193ec5d16246d31669e7153da94fd3ee4273cdac7c9cdcac7b
SHA512

c1123a35155e56ace597af97e67aab3b3a8713e026801f82171e6d32b1c6b64d6b44395d069c0031e9695da557e4c44ec1dc081ed42ec17563cb7f834f944297
SSDEEP

196608:JLPRePJLb2hsDkLsZadle1NEoH+5TNuJKoE0+vDfqMR8xK:JFePJLKhPLsMDe1NxH+5T+e5

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
676	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	676	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
676	rundll32.exe
676	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 676	4320	rundll32.exe	86
PID 4320 wrote to memory of 676	4320	rundll32.exe	86
PID 4320 wrote to memory of 676	4320	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\arphadump.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\arphadump.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 932
    3⤵
    - Program crash
    PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 676 -ip 676
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-0-0x0000000010000000-0x0000000010CC0000-memory.dmp

Filesize
12.8MB

Download
memory/676-1-0x00000000772B4000-0x00000000772B6000-memory.dmp

Filesize
8KB

Download
memory/676-3-0x0000000010000000-0x0000000010CC0000-memory.dmp

Filesize
12.8MB

Download
memory/676-4-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/676-5-0x0000000010000000-0x0000000010CC0000-memory.dmp

Filesize
12.8MB

Download
memory/676-6-0x0000000010000000-0x0000000010CC0000-memory.dmp

Filesize
12.8MB

Download