8d9a11da9b77d55b72c5a291de1291ac9026e1a0950daecf4e528ebbdf1beaa1

Analysis

max time kernel
161s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2022, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d9a11da9b77d55b72c5a291de1291ac9026e1a0950daecf4e528ebbdf1beaa1.dll
Size

787KB
MD5

913997aacad7cf444755f5c0365454f0
SHA1

c5d4b9bbb5ab95480c1fe53fdc2d794969003cdd
SHA256

8d9a11da9b77d55b72c5a291de1291ac9026e1a0950daecf4e528ebbdf1beaa1
SHA512

fd64cc80e72c66397a0f5e3f742810a03314534567411ddc3641c3943db5158bd5ba3e5d86697155525d0083ca09eae9f5d3e7faa94d94c6fbcdd57d282c38f1
SSDEEP

12288:y/gnxiVKhJkcbNiUgtfzm12eZOk6jfKFi+HYrSNh0mGVhr8X11SnMXBsk5qGFfDy:yYY6M6gaOmArSNhzGA2n3b

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1912	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1912	regsvr32.exe
1912	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1912	4916	regsvr32.exe	79
PID 4916 wrote to memory of 1912	4916	regsvr32.exe	79
PID 4916 wrote to memory of 1912	4916	regsvr32.exe	79

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8d9a11da9b77d55b72c5a291de1291ac9026e1a0950daecf4e528ebbdf1beaa1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\8d9a11da9b77d55b72c5a291de1291ac9026e1a0950daecf4e528ebbdf1beaa1.dll
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-133-0x0000000010000000-0x00000000101BE000-memory.dmp

Filesize
1.7MB

Download
memory/1912-134-0x0000000002D80000-0x0000000002E1D000-memory.dmp

Filesize
628KB

Download
memory/1912-135-0x00000000779B0000-0x0000000077B53000-memory.dmp

Filesize
1.6MB

Download