Home Firmware “Dock Firmware Update Is Incompatible With Your System”

“Dock Firmware Update Is Incompatible With Your System”

May 23, 2022

“Dock Firmware Update Is Incompatible With Your System”

Incident Response


Risk Assessment

Fingerprint
Queries firmware table data (may be used to fingerprint/evade)

Reads the agile reckoner proper noun
Evasive
Marks file for deletion


MITRE ATT&CK™ Techniques Detection

This written report has 11 indicators that were mapped to 11 attack techniques and 6 tactics.

View all details

Indicators


Not all malicious and suspicious indicators are displayed. Get your own
cloud service
or the
full version
to view all details.

  • Anti-Opposite Engineering

  • Environment Awareness

  • Full general

  • Installation/Persistance


    • Drops executable files

      details
      “DBUtil_2_3.Sys” has type “PE32 executable (native) Intel 80386 for MS Windows”
      source
      Extracted File
      relevance
      10/10
  • Network Related

  • Organisation Destruction

  • Unusual Characteristics


    • CRC value set in PE header does not match actual value

      details
      “DBUtil_2_3.Sys” claimed CRC 65331 while the actual is CRC 194783
      source
      Static Parser
      relevance
      10/ten

    • Imports suspicious APIs

      details
      CreateServiceA
      StartServiceA
      DeviceIoControl
      GetModuleFileNameW
      IsDebuggerPresent
      GetVersionExA
      GetModuleFileNameA
      CreateDirectoryA
      DeleteFileA
      UnhandledExceptionFilter
      GetStartupInfoW
      GetCommandLineA
      GetProcAddress
      CreateThread
      LoadLibraryW
      GetModuleHandleA
      WriteFile
      GetModuleHandleW
      TerminateProcess
      CreateFileW
      Sleep
      GetTickCount
      CreateFileA
      source
      Static Parser
      relevance
      1/ten

    • Installs hooks/patches the running process

      details
      “GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC83DC” (part of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “b8c015406dffe0” to virtual address “0x74DB11F8” (office of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “68130000” to virtual address “0x75841680” (part of module “WS2_32.DLL”)
      “GetDockVer32W.exe” wrote bytes “48120000” to virtual accost “0x74DB139C” (function of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “48120000” to virtual address “0x74DB12DC” (office of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “b83012406dffe0” to virtual accost “0x75841368” (part of module “WS2_32.DLL”)
      “GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC834C” (role of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “f8110000” to virtual accost “0x74DB1408” (function of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “b84013406dffe0” to virtual address “0x74DB1248” (part of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC8348” (function of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC8368” (function of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “c04e027720540377e0650377b53804770000000000d0437500000000c5ea43750000000088ea437500000000e968f97482280477ee29047700000000d269f974000000007dbb43750000000009bef97400000000ba18437500000000” to virtual accost “0x77171000” (part of module “NSI.DLL”)
      “GetDockVer32W.exe” wrote bytes “f8110000” to virtual address “0x74DB12CC” (part of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC83C4” (role of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC8364” (part of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “4812db74” to virtual address “0x74DC83C0” (part of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “f811db74” to virtual address “0x74DC83E0” (part of module “SSPICLI.DLL”)
      “GetDockVer32W.exe” wrote bytes “6012406d” to virtual address “0x76FAE324” (function of module “WININET.DLL”)
      source
      Hook Detection
      relevance
      10/10
      ATT&CK ID
      T1179 (Evidence technique in the MITRE ATT&CK™ matrix)
  • Hiding 5 Suspicious Indicators

    • All indicators are available only in the private webservice or standalone version
Read:  Rom Firmware for 8300 Elite and 6300 Pro Business Pcs (K01)
  • Anti-Reverse Engineering

  • Environment Awareness

  • External Systems

  • General


    • Creates a writable file in a temporary directory

      details
      “GetDockVer32W.exe” created file “%TEMP%\DBUtil_2_3.Sys”
      source
      API Telephone call
      relevance
      1/ten

    • Creates mutants

      details
      “\Sessions\i\BaseNamedObjects\Global\DELL_BIOS_FLASH_MUL_INSTANCE_MUTEX”
      “Global\DELL_BIOS_FLASH_MUL_INSTANCE_MUTEX”
      source
      Created Mutant
      relevance
      3/10

    • Drops files marked as make clean

      details
      Antivirus vendors marked dropped file “DBUtil_2_3.Sys” equally clean (type is “PE32 executable (native) Intel 80386 for MS Windows”)
      source
      Extracted File
      relevance
      x/x

    • The input sample is signed with a certificate

      details
      The input sample is signed with a certificate issued by “CN=Entrust Root Certification Authority – G2, OU=”c 2009 Entrust
      Inc. – for authorized use but”, OU=Meet www.entrust.net/legal-terms, O=”Entrust
      Inc.”, C=US” (SHA1: 64:B8:F1:ED:EF:40:D7:D2:86:02:B6:B9:17:1A:FF:11:4E:12:A6:46; run into study for more than information)
      The input sample is signed with a certificate issued by “CN=Entrust Extended Validation Code Signing CA – EVCS1, OU=”c 2015 Entrust
      Inc. – for authorized employ only”, OU=Come across www.entrust.internet/legal-terms, O=”Entrust
      Inc.”, C=US” (SHA1: AE:35:C1:91:EE:03:17:F5:12:6C:A4:xv:B3:8E:79:40:93:F5:A1:CA; see report for more data)
      source
      Certificate Information
      relevance
      10/x
      ATT&CK ID
      T1116 (Show technique in the MITRE ATT&CK™ matrix)
  • Installation/Persistance


    • Dropped files

      details
      “DBUtil_2_3.Sys” has type “PE32 executable (native) Intel 80386 for MS Windows”
      “GetDockVer32W.log” has type “ASCII text with CRLF line terminators”
      “dockversion.xml” has type “XML 1.0 document ASCII text with no line terminators”
      source
      Extracted File
      relevance
      three/10

    • Touches files in the Windows directory

      details
      “GetDockVer32W.exe” touched file “%WINDIR%\AppPatch\sysmain.sdb”
      “GetDockVer32W.exe” touched file “%WINDIR%\AppPatch\AcGenral.dll”
      “GetDockVer32W.exe” touched file “%WINDIR%\Globalization\Sorting\SortDefault.nls”
      source
      API Phone call
      relevance
      7/10
  • Network Related


    • Found potential URL in binary/retentivity

      details
      Design friction match: “world wide web.entrust.cyberspace/legal-terms1907”
      Pattern match: “http://ocsp.entrust.net00”
      Pattern match: “http://crl.entrust.net/g2ca.crl0”
      Design lucifer: “http://www.entrust.net/rpa0”
      Pattern match: “http://ocsp.entrust.net05”
      Pattern lucifer: “http://aia.entrust.net/evcs1-chain256.cer01”
      Pattern friction match: “http://crl.entrust.net/evcs1.crl0J”
      Design match: “https://d.symcb.com/cps0%”
      Blueprint match: “https://d.symcb.com/rpa0”
      Pattern match: “http://southward.symcd.com06”
      Design match: “http://due south.symcb.com/universal-root.crl0”
      Pattern match: “https://d.symcb.com/rpa0@”
      Pattern match: “http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0”
      Pattern lucifer: “http://ts-ocsp.ws.symantec.com0”
      Pattern lucifer: “http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0”
      source
      String
      relevance
      10/10
  • Unusual Characteristics

File Details


All Details:

Read:  Bajar De Version El Firmware 4.60 Para Ps3 Fat


GetDockVer32W.exe

Filename
GetDockVer32W.exe
Size
158KiB (161320 bytes)
Type
peexe
executable
Description
PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
WINDOWS
SHA256
b14f8dc70fb23c46754ddd8d2977164e4283ce5638eeb6d3a7778ecad36f5372

Copy SHA256 to clipboard
Compiler/Packer
VC8 -> Microsoft Corporation

Version Info

LegalCopyright
Copyright (C) 2016
InternalName
GetDockVer.exe
FileVersion
0.0.0.2
CompanyName
Dell, Inc.
ProductName
Dell Firmware Update
ProductVersion
0.0.0.ii
FileDescription
Become Dock Version
OriginalFilename
GetDockVer.exe
Translation
0x0409 0x04b0

Classification (TrID)

  • 61.vii% (.EXE) Win64 Executable (generic)
  • xiv.7% (.DLL) Win32 Dynamic Link Library (generic)
  • 10.0% (.EXE) Win32 Executable (generic)
  • 4.5% (.EXE) OS/ii Executable (generic)
  • 4.four% (.EXE) Generic Win/DOS Executable

File Sections

Screenshots


Loading content, please await…

Hybrid Analysis

Network Assay

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Files

Notifications

  • Network whitenoise filtering (Procedure) was applied
  • Non all Falcon MalQuery lookups completed in fourth dimension
  • Not all IP/URL string resources were checked online
  • Not all sources for indicator ID “string-24” are available in the report

“Dock Firmware Update Is Incompatible With Your System”

You May Also Like

Cara Menghubungkan Hp Ke Tv Biasa

Cara Sharing Printer Windows 10 Dengan Lan

Cara Mengetahui Password Wifi Yang Belum Pernah Terkoneksi

Cara Reset Printer Epson Plq 20

Cara Mematikan Lampu Black Ink Pada Printer Canon E400

Cara Ganti Password Wifi First Media Melalui Laptop