Analysis Overview
SHA256
6d456977f4d338c27ace3a30a24d10959c27101326bb015300059ed5ca6f57b8
Threat Level: Known bad
The file 6d456977f4d338c27ace3a30a24d10959c27101326bb015300059ed5ca6f57b8.dll was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with Themida
Detects executables Discord URL observed in first stage droppers
Detects executables packed with Themida
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 01:19
Signatures
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 01:19
Reported
2024-06-11 01:21
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d456977f4d338c27ace3a30a24d10959c27101326bb015300059ed5ca6f57b8.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d456977f4d338c27ace3a30a24d10959c27101326bb015300059ed5ca6f57b8.dll,#1
Network
Files
memory/760-0-0x00000000744C0000-0x0000000075011000-memory.dmp
memory/760-1-0x0000000073270000-0x0000000073DC1000-memory.dmp
memory/760-2-0x00000000744D0000-0x0000000075021000-memory.dmp
memory/760-4-0x00000000779D0000-0x00000000779D2000-memory.dmp
memory/760-3-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-5-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-6-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-7-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-9-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-10-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-8-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-11-0x00000000744E0000-0x0000000075031000-memory.dmp
memory/760-12-0x00000000744E0000-0x0000000075031000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 01:19
Reported
2024-06-11 01:21
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
139s
Command Line
Signatures
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 908 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 908 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 908 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d456977f4d338c27ace3a30a24d10959c27101326bb015300059ed5ca6f57b8.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d456977f4d338c27ace3a30a24d10959c27101326bb015300059ed5ca6f57b8.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.160.77.104.in-addr.arpa | udp |
Files
memory/2672-0-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-1-0x0000000077BA4000-0x0000000077BA6000-memory.dmp
memory/2672-2-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-3-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-4-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-6-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-7-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-5-0x0000000074AB0000-0x0000000075601000-memory.dmp
memory/2672-8-0x0000000074AB0000-0x0000000075601000-memory.dmp