Analysis

  • max time kernel
    190s
  • max time network
    229s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 04:32

General

  • Target

    BlackDesert Online PAZ Browser.exe

  • Size

    1.9MB

  • MD5

    4a1c0fd0dea70de9898517ac5c37d766

  • SHA1

    38bea50aa5e4f0693bbebac4c12bbcb469b045b0

  • SHA256

    e17f07f62bed84c388121ef63ecae48ac69834ae4cdff92b5f8871ed88f67c62

  • SHA512

    a3632a5c15a0d5b84e28fc7e2f95a5b73e8f08037c1415682592eceaf9001aa971135cf534a4d039c9bd8854e0c08359ac300a27c429e592879367b7ae83c195

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlackDesert Online PAZ Browser.exe
    "C:\Users\Admin\AppData\Local\Temp\BlackDesert Online PAZ Browser.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4120-130-0x0000000077960000-0x0000000077B03000-memory.dmp
    Filesize

    1.6MB

  • memory/4120-131-0x0000000000400000-0x00000000008C4000-memory.dmp
    Filesize

    4.8MB

  • memory/4120-132-0x0000000000400000-0x00000000008C4000-memory.dmp
    Filesize

    4.8MB

  • memory/4120-133-0x00000000070B0000-0x000000000717A000-memory.dmp
    Filesize

    808KB

  • memory/4120-134-0x0000000007000000-0x0000000007010000-memory.dmp
    Filesize

    64KB

  • memory/4120-140-0x000000000A450000-0x000000000A458000-memory.dmp
    Filesize

    32KB

  • memory/4120-141-0x000000000C430000-0x000000000C468000-memory.dmp
    Filesize

    224KB

  • memory/4120-142-0x000000000C490000-0x000000000C49E000-memory.dmp
    Filesize

    56KB