dc17d3214db1cdede4c5ba75da2664bf0b9fbde1fbd5976d74d9035f09dbcef5

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc17d3214db1cdede4c5ba75da2664bf0b9fbde1fbd5976d74d9035f09dbcef5.dll
Size

789KB
MD5

82796d757bdfa9b6f5b1a305990123d0
SHA1

9505d08042f698418b48ddd90179b392faf51126
SHA256

dc17d3214db1cdede4c5ba75da2664bf0b9fbde1fbd5976d74d9035f09dbcef5
SHA512

d8745bb08d0e6b204962d1dae6f8cfba919d68988bf63e57a6a103f33ac747ad305408739a6c1e8f77422542b3b9ed6356ad22288dbd678f5593600641b2e33e
SSDEEP

12288:XO239mJl7ZUJHI1xYHLEC0VgWzDRGipvWh2XBveBsWwdHf2pRq0qN0kW:Xr39oFYHMxsr06+NrFX5bvxuvrqfW

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
832	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
832	regsvr32.exe
832	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 832	2732	regsvr32.exe	76
PID 2732 wrote to memory of 832	2732	regsvr32.exe	76
PID 2732 wrote to memory of 832	2732	regsvr32.exe	76

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dc17d3214db1cdede4c5ba75da2664bf0b9fbde1fbd5976d74d9035f09dbcef5.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\dc17d3214db1cdede4c5ba75da2664bf0b9fbde1fbd5976d74d9035f09dbcef5.dll
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-133-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/832-134-0x0000000000EF0000-0x0000000000F8D000-memory.dmp

Filesize
628KB

Download
memory/832-135-0x0000000077C90000-0x0000000077E33000-memory.dmp

Filesize
1.6MB

Download
memory/832-136-0x0000000077C90000-0x0000000077E33000-memory.dmp

Filesize
1.6MB

Download