Analysis
-
max time kernel
129s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:49
Behavioral task
behavioral1
Sample
d5066f6eb484e09f7c3eb427b1ce981ac2d2cf71aaa4d2aa2be126c65ff384b1.dll
Resource
win7-20240508-en
General
-
Target
d5066f6eb484e09f7c3eb427b1ce981ac2d2cf71aaa4d2aa2be126c65ff384b1.dll
-
Size
3.2MB
-
MD5
458d9dfeb81e8711b5696bc0ffd3ded6
-
SHA1
4472ac0990d473adf11be604b4f820d25e9f501f
-
SHA256
d5066f6eb484e09f7c3eb427b1ce981ac2d2cf71aaa4d2aa2be126c65ff384b1
-
SHA512
aebf9aefa9227c1fd9b00b98748efa8101bcfa734db94ea15a9efa49af3f1edd24c86c94f7410d9208edc30abdf0f385c04cb6b9961097703e9effa21c1c91ef
-
SSDEEP
98304:ipDHq5DWoLo+p4xWpc4uTdjiZM2RULBHOIL8x:ipec+phpc3TdufG6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/1612-0-0x0000000010000000-0x000000001085D000-memory.dmp themida behavioral2/memory/1612-3-0x0000000010000000-0x000000001085D000-memory.dmp themida behavioral2/memory/1612-4-0x0000000010000000-0x000000001085D000-memory.dmp themida behavioral2/memory/1612-2-0x0000000010000000-0x000000001085D000-memory.dmp themida behavioral2/memory/1612-5-0x0000000010000000-0x000000001085D000-memory.dmp themida behavioral2/memory/1612-6-0x0000000010000000-0x000000001085D000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1612 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4156 1612 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 1612 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 5044 wrote to memory of 1612 5044 rundll32.exe rundll32.exe PID 5044 wrote to memory of 1612 5044 rundll32.exe rundll32.exe PID 5044 wrote to memory of 1612 5044 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d5066f6eb484e09f7c3eb427b1ce981ac2d2cf71aaa4d2aa2be126c65ff384b1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d5066f6eb484e09f7c3eb427b1ce981ac2d2cf71aaa4d2aa2be126c65ff384b1.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 7843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1612 -ip 16121⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1612-0-0x0000000010000000-0x000000001085D000-memory.dmpFilesize
8.4MB
-
memory/1612-1-0x0000000077434000-0x0000000077436000-memory.dmpFilesize
8KB
-
memory/1612-3-0x0000000010000000-0x000000001085D000-memory.dmpFilesize
8.4MB
-
memory/1612-4-0x0000000010000000-0x000000001085D000-memory.dmpFilesize
8.4MB
-
memory/1612-2-0x0000000010000000-0x000000001085D000-memory.dmpFilesize
8.4MB
-
memory/1612-5-0x0000000010000000-0x000000001085D000-memory.dmpFilesize
8.4MB
-
memory/1612-6-0x0000000010000000-0x000000001085D000-memory.dmpFilesize
8.4MB