5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79O0Z.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	79O0Z.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79O0Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79O0Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	79O0Z.exe

Loads dropped DLL 2 IoCs

pid	Process
420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
2904	79O0Z.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System\7c9FmS3\79O0Z.exe	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
File opened for modification	C:\Windows\System\7c9FmS3\79O0Z.exe	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
File opened for modification	C:\Windows\System\7c9FmS3	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1972	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 1512	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	91
PID 420 wrote to memory of 1512	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	91
PID 420 wrote to memory of 1512	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	91
PID 420 wrote to memory of 1972	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	94
PID 420 wrote to memory of 1972	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	94
PID 420 wrote to memory of 1972	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	94
PID 420 wrote to memory of 2904	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	97
PID 420 wrote to memory of 2904	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	97
PID 420 wrote to memory of 2904	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	97
PID 420 wrote to memory of 3844	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	98
PID 420 wrote to memory of 3844	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	98
PID 420 wrote to memory of 3844	420	5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe	98

C:\Users\Admin\AppData\Local\Temp\5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
"C:\Users\Admin\AppData\Local\Temp\5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:420
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /delete /TN Microsoft\Windows\Shell\Init /F
  2⤵
  PID:1512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /F /sc onstart /tn Microsoft\Windows\Shell\Init /tr "\"C:\Windows\System\7c9FmS3\79O0Z.exe\"" /ru system
  2⤵
  - Creates scheduled task(s)
  PID:1972
- C:\Windows\System\7c9FmS3\79O0Z.exe
  "C:\Windows\System\7c9FmS3\79O0Z.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5B7E02~1.EXE >> NUL
  2⤵
  PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

Persistence

Scheduled Task

1

Privilege Escalation

Scheduled Task

1

Defense Evasion

Virtualization/Sandbox Evasion

2

Credential Access

Discovery

Query Registry

4

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2