Analysis
-
max time kernel
140s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 04:42
Behavioral task
behavioral1
Sample
maple/Maple.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
maple/Maple.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
maple/crack.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
maple/crack.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
maple/loader.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
maple/loader.exe
Resource
win10v2004-20240709-en
General
-
Target
maple/crack.dll
-
Size
5.0MB
-
MD5
b5b1b26e855eda6268b9a2008e0fce86
-
SHA1
d7925f7de5835e3564b187d8654bb9305ea945fb
-
SHA256
06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7
-
SHA512
14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799
-
SSDEEP
98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2524 wrote to memory of 2020 2524 rundll32.exe WerFault.exe PID 2524 wrote to memory of 2020 2524 rundll32.exe WerFault.exe PID 2524 wrote to memory of 2020 2524 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\maple\crack.dll,#11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2524 -s 1162⤵PID:2020
-