fa1c0c271fc89651bc40cc1b4cee1a565d1ab8e1f7a7ab23959877601b8a58ea

Analysis

max time kernel
113s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1c0c271fc89651bc40cc1b4cee1a565d1ab8e1f7a7ab23959877601b8a58ea.dll
Size

813KB
MD5

67c24af4440eccc5274037c4ba9e2e16
SHA1

e8f9df2ad9b0d77ee7efc1ff76312400fc6912b2
SHA256

fa1c0c271fc89651bc40cc1b4cee1a565d1ab8e1f7a7ab23959877601b8a58ea
SHA512

e1734d30ec9c8245bbc2bedadff5342cde25ca1a7219342a9afa1b332f42a6829aceb1e228fb9aee3292be81b81c8d9183dbb37f6eb41da468c70c5040084e30
SSDEEP

24576:uI9qjp3/4ToOICureR048mq2ud/nfboec:ZqpP4MOjVuV52ulnzo

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Wine	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
928	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
928	regsvr32.exe
928	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 928	5080	regsvr32.exe	82
PID 5080 wrote to memory of 928	5080	regsvr32.exe	82
PID 5080 wrote to memory of 928	5080	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fa1c0c271fc89651bc40cc1b4cee1a565d1ab8e1f7a7ab23959877601b8a58ea.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\fa1c0c271fc89651bc40cc1b4cee1a565d1ab8e1f7a7ab23959877601b8a58ea.dll
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-133-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/928-134-0x0000000002DD0000-0x0000000002E6D000-memory.dmp

Filesize
628KB

Download
memory/928-135-0x0000000077CA0000-0x0000000077E43000-memory.dmp

Filesize
1.6MB

Download