db950fa36906f1288253b90bb8eb722d5f29c1f078d043bf0f4b90ed7698614b

Analysis

max time kernel
23s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db950fa36906f1288253b90bb8eb722d5f29c1f078d043bf0f4b90ed7698614b.dll
Size

787KB
MD5

0d18eae002c8d89fe777fffd15c82f70
SHA1

88cf49d9fa4b0a0e7637b57d42b1695ca4d593ce
SHA256

db950fa36906f1288253b90bb8eb722d5f29c1f078d043bf0f4b90ed7698614b
SHA512

e92a05fb022bfa914552017b8f15b89c7ececc47159c52460027251d5120bf465e0591dee2124068999c819922b93500572625a32870b0b196915a0f2554dc8d
SSDEEP

24576:zTh1pwLZFS86oag9BcgHFLiT1fjwGkuYHCDtq8:zTp2S83agXhlLI/fD

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1348	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1348	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1348	860	regsvr32.exe	27
PID 860 wrote to memory of 1348	860	regsvr32.exe	27
PID 860 wrote to memory of 1348	860	regsvr32.exe	27
PID 860 wrote to memory of 1348	860	regsvr32.exe	27
PID 860 wrote to memory of 1348	860	regsvr32.exe	27
PID 860 wrote to memory of 1348	860	regsvr32.exe	27
PID 860 wrote to memory of 1348	860	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\db950fa36906f1288253b90bb8eb722d5f29c1f078d043bf0f4b90ed7698614b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\db950fa36906f1288253b90bb8eb722d5f29c1f078d043bf0f4b90ed7698614b.dll
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1348-57-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/1348-58-0x0000000076FE0000-0x0000000077160000-memory.dmp

Filesize
1.5MB

Download