6eee307788aa153b5be96830edd1cf85aa180afb5b6d5d7ff2d56e50fd553ce3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20c24a15781710e9cf0121c5f36f335c.dll
Size

923KB
MD5

20c24a15781710e9cf0121c5f36f335c
SHA1

4c47a3db81547e88085ba659c6b0093ac8215697
SHA256

6eee307788aa153b5be96830edd1cf85aa180afb5b6d5d7ff2d56e50fd553ce3
SHA512

37e55515f45d19ea09bf1d25c6100985bca8c18057c6779d29d2b336b454ca394dabc34f38ea691f4f02ef4cba38b595ed9ef19729fd974181fb7a8cad4a23b3
SSDEEP

24576:d0A9AbAnfpp0HLYVUlPiSVyAuOidZca5l/0sA:d0A9VnfpeYVUNZyArYfn8N

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1832	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1832	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1832	624	rundll32.exe	14
PID 624 wrote to memory of 1832	624	rundll32.exe	14
PID 624 wrote to memory of 1832	624	rundll32.exe	14
PID 624 wrote to memory of 1832	624	rundll32.exe	14
PID 624 wrote to memory of 1832	624	rundll32.exe	14
PID 624 wrote to memory of 1832	624	rundll32.exe	14
PID 624 wrote to memory of 1832	624	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\20c24a15781710e9cf0121c5f36f335c.dll,#1
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\20c24a15781710e9cf0121c5f36f335c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x0000000074590000-0x0000000074784000-memory.dmp

Filesize
2.0MB

Download
memory/1832-2-0x0000000074380000-0x0000000074574000-memory.dmp

Filesize
2.0MB

Download
memory/1832-1-0x0000000074390000-0x0000000074584000-memory.dmp

Filesize
2.0MB

Download
memory/1832-3-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1832-4-0x0000000074390000-0x0000000074584000-memory.dmp

Filesize
2.0MB

Download
memory/1832-5-0x0000000074380000-0x0000000074574000-memory.dmp

Filesize
2.0MB

Download