Overview
overview
9Static
static
BlackDeser...er.exe
windows7_x64
9BlackDeser...er.exe
windows10-2004_x64
9Libs/MahAp...ro.dll
windows7_x64
1Libs/MahAp...ro.dll
windows10-2004_x64
1Libs/Micro...op.dll
windows7_x64
1Libs/Micro...op.dll
windows10-2004_x64
1Libs/Micro...ns.dll
windows7_x64
1Libs/Micro...ns.dll
windows10-2004_x64
1Libs/Micro...ks.dll
windows7_x64
1Libs/Micro...ks.dll
windows10-2004_x64
1Libs/System.IO.dll
windows7_x64
1Libs/System.IO.dll
windows10-2004_x64
1Libs/Syste...me.dll
windows7_x64
1Libs/Syste...me.dll
windows10-2004_x64
1Libs/Syste...ks.dll
windows7_x64
1Libs/Syste...ks.dll
windows10-2004_x64
1Libs/Syste...ty.dll
windows7_x64
1Libs/Syste...ty.dll
windows10-2004_x64
1NativeDecompress.dll
windows7_x64
9NativeDecompress.dll
windows10-2004_x64
9Analysis
-
max time kernel
190s -
max time network
229s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
BlackDesert Online PAZ Browser.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BlackDesert Online PAZ Browser.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Libs/MahApps.Metro.dll
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Libs/MahApps.Metro.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Libs/Microsoft.Threading.Tasks.Extensions.Desktop.dll
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Libs/Microsoft.Threading.Tasks.Extensions.Desktop.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Libs/Microsoft.Threading.Tasks.Extensions.dll
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Libs/Microsoft.Threading.Tasks.Extensions.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
Libs/Microsoft.Threading.Tasks.dll
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
Libs/Microsoft.Threading.Tasks.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
Libs/System.IO.dll
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
Libs/System.IO.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
Libs/System.Runtime.dll
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
Libs/System.Runtime.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
Libs/System.Threading.Tasks.dll
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
Libs/System.Threading.Tasks.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
Libs/System.Windows.Interactivity.dll
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
Libs/System.Windows.Interactivity.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
NativeDecompress.dll
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
NativeDecompress.dll
Resource
win10v2004-20220414-en
General
-
Target
BlackDesert Online PAZ Browser.exe
-
Size
1.9MB
-
MD5
4a1c0fd0dea70de9898517ac5c37d766
-
SHA1
38bea50aa5e4f0693bbebac4c12bbcb469b045b0
-
SHA256
e17f07f62bed84c388121ef63ecae48ac69834ae4cdff92b5f8871ed88f67c62
-
SHA512
a3632a5c15a0d5b84e28fc7e2f95a5b73e8f08037c1415682592eceaf9001aa971135cf534a4d039c9bd8854e0c08359ac300a27c429e592879367b7ae83c195
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BlackDesert Online PAZ Browser.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BlackDesert Online PAZ Browser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BlackDesert Online PAZ Browser.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
BlackDesert Online PAZ Browser.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine BlackDesert Online PAZ Browser.exe -
Processes:
BlackDesert Online PAZ Browser.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BlackDesert Online PAZ Browser.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
BlackDesert Online PAZ Browser.exedescription ioc process File opened for modification \??\PhysicalDrive0 BlackDesert Online PAZ Browser.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
BlackDesert Online PAZ Browser.exepid process 4120 BlackDesert Online PAZ Browser.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BlackDesert Online PAZ Browser.exepid process 4120 BlackDesert Online PAZ Browser.exe 4120 BlackDesert Online PAZ Browser.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlackDesert Online PAZ Browser.exe"C:\Users\Admin\AppData\Local\Temp\BlackDesert Online PAZ Browser.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4120-130-0x0000000077960000-0x0000000077B03000-memory.dmpFilesize
1.6MB
-
memory/4120-131-0x0000000000400000-0x00000000008C4000-memory.dmpFilesize
4.8MB
-
memory/4120-132-0x0000000000400000-0x00000000008C4000-memory.dmpFilesize
4.8MB
-
memory/4120-133-0x00000000070B0000-0x000000000717A000-memory.dmpFilesize
808KB
-
memory/4120-134-0x0000000007000000-0x0000000007010000-memory.dmpFilesize
64KB
-
memory/4120-140-0x000000000A450000-0x000000000A458000-memory.dmpFilesize
32KB
-
memory/4120-141-0x000000000C430000-0x000000000C468000-memory.dmpFilesize
224KB
-
memory/4120-142-0x000000000C490000-0x000000000C49E000-memory.dmpFilesize
56KB