1f43703d2171ab90e98357b6dfdf824417baa191a59419c27fce42cbafdb7ecf

Analysis

max time kernel
92s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlackLotus.exe
Size

2.4MB
MD5

d948d4b6db5d6d6e2e1ba6c0fa4bf008
SHA1

05846d5b1d37ee2d716140de4f4f984cf1e631d1
SHA256

1f43703d2171ab90e98357b6dfdf824417baa191a59419c27fce42cbafdb7ecf
SHA512

fce681b3721eaf87f27b758782095e34665517ea4e0529cf18b32c4d0d5270ec40c8acf296ad2665e60a6e7e0430807f87e01e3a145902c9fea2a3c83100c15d
SSDEEP

49152:AjY216rMHabk161nZDmcQt8O4BY3+lu2OtXED355:k3YdnZDmcQP6YO/OtXEf

Score

9^/10

evasion

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxGuest	BlackLotus.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxMouse	BlackLotus.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxService	BlackLotus.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxSF	BlackLotus.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxVideo	BlackLotus.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\ACPI\FADT\VBOX__	BlackLotus.exe
Key opened	\Registry\Machine\HARDWARE\ACPI\RSDT\VBOX__	BlackLotus.exe
Key opened	\Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__	BlackLotus.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\SOFTWARE\Oracle\VirtualBox Guest Additions	BlackLotus.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\SOFTWARE\VMware, Inc.\VMware Tools	BlackLotus.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BlackLotus.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	BlackLotus.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
984	BlackLotus.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	984	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe
984	BlackLotus.exe

C:\Users\Admin\AppData\Local\Temp\BlackLotus.exe
"C:\Users\Admin\AppData\Local\Temp\BlackLotus.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 984 -s 148
  2⤵
  - Program crash
  PID:4528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 984 -ip 984
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-133-0x00007FFDB8FD0000-0x00007FFDB91C5000-memory.dmp

Filesize
2.0MB

Download