Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 03:59

General

  • Target

    d0000.dll

  • Size

    74KB

  • MD5

    0d655ecb0b27564685114e1d2e598627

  • SHA1

    9834d2149842cb807dcfd6b9282eebbfc27f64dc

  • SHA256

    c56792bea8ac5fbf893ae3df1be0c3c878a615db6b24fd5253e5cbbc2e3e1dd3

  • SHA512

    657172e7b19bfd286d7f1f6336ff8638cf9a62686f72f955a3dfe519a923c1aa953bdf4f533c39cbd6b9c10dffa2101f0f0770de2696f3a8e79c413a535a25ee

  • SSDEEP

    1536:MS1LKOuMVMCL5D8Nbv5BXg06v/0DNHUYbLOyZeZjOLfJxFwKW01uGR/xOi7OCAf7:MS1HVMCL5EL/9KCRihn

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Enumerates system info in registry
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads