Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
SiroSix's Public D3D H4CK V5.7/Sir0s1x Public D3D 5.7.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SiroSix's Public D3D H4CK V5.7/Sir0s1x Public D3D 5.7.dll
Resource
win10v2004-20240709-en
General
-
Target
SiroSix's Public D3D H4CK V5.7/Sir0s1x Public D3D 5.7.dll
-
Size
724KB
-
MD5
9aa862fd9f4c9e9772e86f8dddc26d62
-
SHA1
2dab7417c22c841582c55255fb09d3be71082e3e
-
SHA256
64ddf54948b0499c0a70285a1968bd8b113c7fbecd184aacfbb8f0f82cdbed85
-
SHA512
aac9a56dc516b37ca4230ef1f0490dddaba6d91c308a994e5f230db89fa88bc03c21bb58d1c831a513c233c4d35f30bafb092e3fba39a2016a3ac9b8b2b0adf8
-
SSDEEP
12288:g768ZiJym1wRN1EXtq2BEXTuh1tTVewmIWjqQ7SxgWhvS5hW50J63:ge8dmKRN1as2z1VO7/Whq5aL
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2128 rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4368 2128 WerFault.exe rundll32.exe 212 2128 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2128 rundll32.exe 2128 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4732 wrote to memory of 2128 4732 rundll32.exe rundll32.exe PID 4732 wrote to memory of 2128 4732 rundll32.exe rundll32.exe PID 4732 wrote to memory of 2128 4732 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\SiroSix's Public D3D H4CK V5.7\Sir0s1x Public D3D 5.7.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\SiroSix's Public D3D H4CK V5.7\Sir0s1x Public D3D 5.7.dll",#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 8603⤵
- Program crash
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 9003⤵
- Program crash
PID:212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 21281⤵PID:3656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2128 -ip 21281⤵PID:4200