Resubmissions

12-05-2022 21:09

220512-zzeczaabg4 9

10-05-2022 12:16

220510-pfl9csbefm 10

09-05-2022 23:26

220509-3e4nxaedh7 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10-05-2022 12:16

General

  • Target

    oblot.dll

  • Size

    1.3MB

  • MD5

    38ea4397f1c9dfe79e9accaebe7487ec

  • SHA1

    24614b49e47bbdc30263cc86cea8aceb2781f1ed

  • SHA256

    281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8

  • SHA512

    3b8d8deb404a52cb43306c8b3275f61efd8092202cf5ac5d86c342664b1673080abb3689f77b5bcc94b88ca10f238eb2dba67161619588e443ca6e04e261399b

Score
9/10

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\oblot.dll,#1
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious behavior: EnumeratesProcesses
    PID:3136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3136-130-0x00007FF8C1520000-0x00007FF8C1530000-memory.dmp

    Filesize

    64KB