Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
SiroSix's Public D3D H4CK V5.7/Sir0s1x Public D3D 5.7.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SiroSix's Public D3D H4CK V5.7/Sir0s1x Public D3D 5.7.dll
Resource
win10v2004-20240709-en
General
-
Target
SiroSix's Public D3D H4CK V5.7/Sir0s1x Public D3D 5.7.dll
-
Size
724KB
-
MD5
9aa862fd9f4c9e9772e86f8dddc26d62
-
SHA1
2dab7417c22c841582c55255fb09d3be71082e3e
-
SHA256
64ddf54948b0499c0a70285a1968bd8b113c7fbecd184aacfbb8f0f82cdbed85
-
SHA512
aac9a56dc516b37ca4230ef1f0490dddaba6d91c308a994e5f230db89fa88bc03c21bb58d1c831a513c233c4d35f30bafb092e3fba39a2016a3ac9b8b2b0adf8
-
SSDEEP
12288:g768ZiJym1wRN1EXtq2BEXTuh1tTVewmIWjqQ7SxgWhvS5hW50J63:ge8dmKRN1as2z1VO7/Whq5aL
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1052 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2784 1052 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1052 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 1052 2432 rundll32.exe rundll32.exe PID 1052 wrote to memory of 2784 1052 rundll32.exe WerFault.exe PID 1052 wrote to memory of 2784 1052 rundll32.exe WerFault.exe PID 1052 wrote to memory of 2784 1052 rundll32.exe WerFault.exe PID 1052 wrote to memory of 2784 1052 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\SiroSix's Public D3D H4CK V5.7\Sir0s1x Public D3D 5.7.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\SiroSix's Public D3D H4CK V5.7\Sir0s1x Public D3D 5.7.dll",#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 4323⤵
- Program crash
PID:2784