b75fb381e3bfc708fb2ae57fe9ddcba282b08bbe5790449af56dde30d7c5b371

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a994e6555f2de587dd8f5a011e372077.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a994e6555f2de587dd8f5a011e372077.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBIOSDate	a994e6555f2de587dd8f5a011e372077.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	a994e6555f2de587dd8f5a011e372077.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\I:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\M:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\R:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\S:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\Y:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\J:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\T:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\U:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\V:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\Z:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\H:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\K:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\L:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\O:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\Q:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\X:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\G:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\N:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\P:	a994e6555f2de587dd8f5a011e372077.exe
File opened (read-only)	\??\W:	a994e6555f2de587dd8f5a011e372077.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a994e6555f2de587dd8f5a011e372077.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1712	a994e6555f2de587dd8f5a011e372077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate	a994e6555f2de587dd8f5a011e372077.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	a994e6555f2de587dd8f5a011e372077.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	a994e6555f2de587dd8f5a011e372077.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1712	a994e6555f2de587dd8f5a011e372077.exe
1712	a994e6555f2de587dd8f5a011e372077.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2680	1712	a994e6555f2de587dd8f5a011e372077.exe	28
PID 1712 wrote to memory of 2680	1712	a994e6555f2de587dd8f5a011e372077.exe	28
PID 1712 wrote to memory of 2680	1712	a994e6555f2de587dd8f5a011e372077.exe	28
PID 1712 wrote to memory of 2680	1712	a994e6555f2de587dd8f5a011e372077.exe	28
PID 2680 wrote to memory of 2428	2680	cmd.exe	30
PID 2680 wrote to memory of 2428	2680	cmd.exe	30
PID 2680 wrote to memory of 2428	2680	cmd.exe	30
PID 2680 wrote to memory of 2428	2680	cmd.exe	30
PID 2428 wrote to memory of 2472	2428	net.exe	31
PID 2428 wrote to memory of 2472	2428	net.exe	31
PID 2428 wrote to memory of 2472	2428	net.exe	31
PID 2428 wrote to memory of 2472	2428	net.exe	31

C:\Users\Admin\AppData\Local\Temp\a994e6555f2de587dd8f5a011e372077.exe
"C:\Users\Admin\AppData\Local\Temp\a994e6555f2de587dd8f5a011e372077.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Spooler
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\net.exe
    net stop Spooler
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Spooler
      4⤵
      PID:2472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion