“Dock Firmware Update Is Incompatible With Your System”
Incident Response
Risk Assessment
- Fingerprint
-
Queries firmware table data (may be used to fingerprint/evade)
Reads the agile reckoner proper noun - Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
This written report has 11 indicators that were mapped to 11 attack techniques and 6 tactics.
View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own
cloud service
or the
full version
to view all details.
-
Anti-Detection/Stealthyness
-
Queries firmware tabular array information (may exist used to fingerprint/evade)
- details
-
“GetDockVer32W.exe” at 00017515-00003868-00000105-5656166663
“GetDockVer32W.exe” at 00017515-00003868-00000105-5656423849
“GetDockVer32W.exe” at 00017515-00003868-00000105-6049579449
“GetDockVer32W.exe” at 00017515-00003868-00000105-6049831857 - source
- API Telephone call
- relevance
- 10/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
-
Installation/Persistance
-
Drops system driver
- details
- “DBUtil_2_3.Sys” has type “PE32 executable (native) Intel 80386 for MS Windows”
- source
- Extracted File
- relevance
- x/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
-
Unusual Characteristics
-
References suspicious organization modules
- details
- “ntoskrnl.exe”
- source
- String
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
-
Anti-Opposite Engineering
-
PE file has unusual entropy sections
- details
- .data with unusual entropies vii.50683616977
- source
- Static Parser
- relevance
- 10/ten
-
-
Environment Awareness
-
Reads the active figurer name
- details
- “GetDockVer32W.exe” (Path: “HKLM\Organisation\CONTROLSET001\Command\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME”)
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
-
Full general
-
Opened the service control manager
- details
- “GetDockVer32W.exe” chosen “OpenSCManager” requesting admission rights “SC_MANAGER_ALL_ACCESS” (0xf003f)
- source
- API Phone call
- relevance
- ten/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
-
Installation/Persistance
-
Drops executable files
- details
- “DBUtil_2_3.Sys” has type “PE32 executable (native) Intel 80386 for MS Windows”
- source
- Extracted File
- relevance
- 10/10
-
-
Network Related
-
Found potential IP address in binary/retentiveness
- details
-
“01.00.00.06”
“00.00.00.29” - source
- String
- relevance
- 3/10
-
-
Organisation Destruction
-
Marks file for deletion
- details
- “C:\GetDockVer32W.exe” marked “%TEMP%\DBUtil_2_3.Sys” for deletion
- source
- API Phone call
- relevance
- x/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- “GetDockVer32W.exe” opened “%TEMP%\DBUtil_2_3.Sys” with delete access
- source
- API Phone call
- relevance
- vii/10
-
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- “DBUtil_2_3.Sys” claimed CRC 65331 while the actual is CRC 194783
- source
- Static Parser
- relevance
- 10/ten
-
Imports suspicious APIs
- details
-
CreateServiceA
StartServiceA
DeviceIoControl
GetModuleFileNameW
IsDebuggerPresent
GetVersionExA
GetModuleFileNameA
CreateDirectoryA
DeleteFileA
UnhandledExceptionFilter
GetStartupInfoW
GetCommandLineA
GetProcAddress
CreateThread
LoadLibraryW
GetModuleHandleA
WriteFile
GetModuleHandleW
TerminateProcess
CreateFileW
Sleep
GetTickCount
CreateFileA - source
- Static Parser
- relevance
- 1/ten
-
Installs hooks/patches the running process
- details
-
“GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC83DC” (part of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “b8c015406dffe0” to virtual address “0x74DB11F8” (office of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “68130000” to virtual address “0x75841680” (part of module “WS2_32.DLL”)
“GetDockVer32W.exe” wrote bytes “48120000” to virtual accost “0x74DB139C” (function of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “48120000” to virtual address “0x74DB12DC” (office of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “b83012406dffe0” to virtual accost “0x75841368” (part of module “WS2_32.DLL”)
“GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC834C” (role of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “f8110000” to virtual accost “0x74DB1408” (function of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “b84013406dffe0” to virtual address “0x74DB1248” (part of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC8348” (function of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC8368” (function of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “c04e027720540377e0650377b53804770000000000d0437500000000c5ea43750000000088ea437500000000e968f97482280477ee29047700000000d269f974000000007dbb43750000000009bef97400000000ba18437500000000” to virtual accost “0x77171000” (part of module “NSI.DLL”)
“GetDockVer32W.exe” wrote bytes “f8110000” to virtual address “0x74DB12CC” (part of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC83C4” (role of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC8364” (part of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC83C0” (part of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC83E0” (part of module “SSPICLI.DLL”)
“GetDockVer32W.exe” wrote bytes “6012406d” to virtual address “0x76FAE324” (function of module “WININET.DLL”) - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Evidence technique in the MITRE ATT&CK™ matrix)
-
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used equally anti-debugging trick)
- details
- [email protected] (Testify Stream)
- source
- Hybrid Analysis Technology
- relevance
- one/x
-
-
Environment Awareness
-
Contains ability to query machine time
- details
- [email protected] (Show Stream)
- source
- Hybrid Analysis Applied science
- relevance
- ane/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/71 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External Organisation
- relevance
- x/ten
-
-
General
-
Creates a writable file in a temporary directory
- details
- “GetDockVer32W.exe” created file “%TEMP%\DBUtil_2_3.Sys”
- source
- API Telephone call
- relevance
- 1/ten
-
Creates mutants
- details
-
“\Sessions\i\BaseNamedObjects\Global\DELL_BIOS_FLASH_MUL_INSTANCE_MUTEX”
“Global\DELL_BIOS_FLASH_MUL_INSTANCE_MUTEX” - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as make clean
- details
- Antivirus vendors marked dropped file “DBUtil_2_3.Sys” equally clean (type is “PE32 executable (native) Intel 80386 for MS Windows”)
- source
- Extracted File
- relevance
- x/x
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by “CN=Entrust Root Certification Authority – G2, OU=”c 2009 Entrust
Inc. – for authorized use but”, OU=Meet www.entrust.net/legal-terms, O=”Entrust
Inc.”, C=US” (SHA1: 64:B8:F1:ED:EF:40:D7:D2:86:02:B6:B9:17:1A:FF:11:4E:12:A6:46; run into study for more than information)
The input sample is signed with a certificate issued by “CN=Entrust Extended Validation Code Signing CA – EVCS1, OU=”c 2015 Entrust
Inc. – for authorized employ only”, OU=Come across www.entrust.internet/legal-terms, O=”Entrust
Inc.”, C=US” (SHA1: AE:35:C1:91:EE:03:17:F5:12:6C:A4:xv:B3:8E:79:40:93:F5:A1:CA; see report for more data) - source
- Certificate Information
- relevance
- 10/x
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
-
Installation/Persistance
-
Dropped files
- details
-
“DBUtil_2_3.Sys” has type “PE32 executable (native) Intel 80386 for MS Windows”
“GetDockVer32W.log” has type “ASCII text with CRLF line terminators”
“dockversion.xml” has type “XML 1.0 document ASCII text with no line terminators” - source
- Extracted File
- relevance
- three/10
-
Touches files in the Windows directory
- details
-
“GetDockVer32W.exe” touched file “%WINDIR%\AppPatch\sysmain.sdb”
“GetDockVer32W.exe” touched file “%WINDIR%\AppPatch\AcGenral.dll”
“GetDockVer32W.exe” touched file “%WINDIR%\Globalization\Sorting\SortDefault.nls” - source
- API Phone call
- relevance
- 7/10
-
-
Network Related
-
Found potential URL in binary/retentivity
- details
-
Design friction match: “world wide web.entrust.cyberspace/legal-terms1907”
Pattern match: “http://ocsp.entrust.net00”
Pattern match: “http://crl.entrust.net/g2ca.crl0”
Design lucifer: “http://www.entrust.net/rpa0”
Pattern match: “http://ocsp.entrust.net05”
Pattern lucifer: “http://aia.entrust.net/evcs1-chain256.cer01”
Pattern friction match: “http://crl.entrust.net/evcs1.crl0J”
Design match: “https://d.symcb.com/cps0%”
Blueprint match: “https://d.symcb.com/rpa0”
Pattern match: “http://southward.symcd.com06”
Design match: “http://due south.symcb.com/universal-root.crl0”
Pattern match: “https://d.symcb.com/rpa0@”
Pattern match: “http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0”
Pattern lucifer: “http://ts-ocsp.ws.symantec.com0”
Pattern lucifer: “http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0” - source
- String
- relevance
- 10/10
-
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
“b14f8dc70fb23c46754ddd8d2977164e4283ce5638eeb6d3a7778ecad36f5372.bin” was detected equally “VC8 -> Microsoft Corporation”
“DBUtil_2_3.Sys” was detected as “Visual C++ 2003 DLL -> Microsoft” - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
File Details
All Details:
GetDockVer32W.exe
- Filename
- GetDockVer32W.exe
- Size
- 158KiB (161320 bytes)
- Type
-
peexe
executable - Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
-
b14f8dc70fb23c46754ddd8d2977164e4283ce5638eeb6d3a7778ecad36f5372
- Compiler/Packer
- VC8 -> Microsoft Corporation
Version Info
- LegalCopyright
- Copyright (C) 2016
- InternalName
- GetDockVer.exe
- FileVersion
- 0.0.0.2
- CompanyName
- Dell, Inc.
- ProductName
- Dell Firmware Update
- ProductVersion
- 0.0.0.ii
- FileDescription
- Become Dock Version
- OriginalFilename
- GetDockVer.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 61.vii% (.EXE) Win64 Executable (generic)
- xiv.7% (.DLL) Win32 Dynamic Link Library (generic)
- 10.0% (.EXE) Win32 Executable (generic)
- 4.5% (.EXE) OS/ii Executable (generic)
- 4.four% (.EXE) Generic Win/DOS Executable
File Sections
Details | |||||
---|---|---|---|---|---|
Screenshots
Loading content, please await…
Hybrid Analysis
Tip:
Click an analysed process below to view more than details.
Analysed ane procedure in total.
-
GetDockVer32W.exe
(PID: 3868)
Network Assay
DNS Requests
No relevant DNS requests were made.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Files
Notifications
- Network whitenoise filtering (Procedure) was applied
- Non all Falcon MalQuery lookups completed in fourth dimension
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID “string-24” are available in the report