f0f7cf9a133b7a22c26f2da01485aa2ee3a31feac53b40fc724757d66ba885e2

Analysis

max time kernel
36s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f7cf9a133b7a22c26f2da01485aa2ee3a31feac53b40fc724757d66ba885e2.dll
Size

844KB
MD5

5260a2fed6633021f08357915fc08750
SHA1

0b6a111d776ec11829ce05a354ca705a44797d9b
SHA256

f0f7cf9a133b7a22c26f2da01485aa2ee3a31feac53b40fc724757d66ba885e2
SHA512

8494ce4c239e4f6f849de843021f2b42276f6ee05189e2edd0a8f6793ecaf472ac9a7deaee4b858b4c45386de7797623b3b9cfe58ec41273c6b71487492cd671
SSDEEP

24576:oDSJtY1VsHzGFtHyLKDc2a9khoC7XXF8:oD6HHzKSLKQ21TXF

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1964	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26
PID 1160 wrote to memory of 1964	1160	regsvr32.exe	26

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f0f7cf9a133b7a22c26f2da01485aa2ee3a31feac53b40fc724757d66ba885e2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\f0f7cf9a133b7a22c26f2da01485aa2ee3a31feac53b40fc724757d66ba885e2.dll
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1964-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1964-57-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/1964-58-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download