Overview
overview
9Static
static
BlackDeser...er.exe
windows7_x64
9BlackDeser...er.exe
windows10-2004_x64
9Libs/MahAp...ro.dll
windows7_x64
1Libs/MahAp...ro.dll
windows10-2004_x64
1Libs/Micro...op.dll
windows7_x64
1Libs/Micro...op.dll
windows10-2004_x64
1Libs/Micro...ns.dll
windows7_x64
1Libs/Micro...ns.dll
windows10-2004_x64
1Libs/Micro...ks.dll
windows7_x64
1Libs/Micro...ks.dll
windows10-2004_x64
1Libs/System.IO.dll
windows7_x64
1Libs/System.IO.dll
windows10-2004_x64
1Libs/Syste...me.dll
windows7_x64
1Libs/Syste...me.dll
windows10-2004_x64
1Libs/Syste...ks.dll
windows7_x64
1Libs/Syste...ks.dll
windows10-2004_x64
1Libs/Syste...ty.dll
windows7_x64
1Libs/Syste...ty.dll
windows10-2004_x64
1NativeDecompress.dll
windows7_x64
9NativeDecompress.dll
windows10-2004_x64
9Analysis
-
max time kernel
175s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
BlackDesert Online PAZ Browser.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BlackDesert Online PAZ Browser.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Libs/MahApps.Metro.dll
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Libs/MahApps.Metro.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Libs/Microsoft.Threading.Tasks.Extensions.Desktop.dll
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Libs/Microsoft.Threading.Tasks.Extensions.Desktop.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Libs/Microsoft.Threading.Tasks.Extensions.dll
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Libs/Microsoft.Threading.Tasks.Extensions.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
Libs/Microsoft.Threading.Tasks.dll
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
Libs/Microsoft.Threading.Tasks.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
Libs/System.IO.dll
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
Libs/System.IO.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
Libs/System.Runtime.dll
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
Libs/System.Runtime.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
Libs/System.Threading.Tasks.dll
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
Libs/System.Threading.Tasks.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
Libs/System.Windows.Interactivity.dll
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
Libs/System.Windows.Interactivity.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
NativeDecompress.dll
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
NativeDecompress.dll
Resource
win10v2004-20220414-en
General
-
Target
NativeDecompress.dll
-
Size
1.2MB
-
MD5
84b679ddb4975de2d2fc0e1a37042ac5
-
SHA1
5e80e5df5514ce5603578c738a63210ef4c2f55e
-
SHA256
64284f7cddd51086946191dbaaf1d23869b99ef47892f250682c2d568aa874f5
-
SHA512
3c574ed06b7d798c1f92dad6019ee510b660fcb2267f91528cfcc94c96a003f55504d534aaea694baa87a21665c8c180e4e1ad5735041a779336f2996062ec2a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4824 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2696 4824 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4824 rundll32.exe 4824 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2744 wrote to memory of 4824 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 4824 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 4824 2744 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NativeDecompress.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NativeDecompress.dll,#12⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 7083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4824 -ip 48241⤵