aaaa0350f8c8284a52a8af65b77b6d7c8ee93872245f1accd8b86d7c45273a7a

Analysis

max time kernel
29s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 12:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DSD 2.457/DSDPlus.exe
Size

1.9MB
MD5

d1da4d30ed524c08377195a18c5032e7
SHA1

1975e04d9741a0e864f8de82d92026a096daa9c9
SHA256

b30d3254044fe1460bc5d22bcf011462459f6fc369f29b5fa14f40d59bbb1211
SHA512

879585d3ad564dc361a0ba2a24967db5ff7794407c278814b3ca3a0541fb94a20281d629805e02f6655d05d3a332ab297652ac8ff3ad8816f591f26384a5198e
SSDEEP

49152:Y4axQgV5Xz1Eh5+id5u4jiilRgHCVk9FdRMM1PNLkbQ/yHRu:zaxT5jOh5QmiIgioFdS60QE

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DSDPlus.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DSDPlus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DSDPlus.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine	DSDPlus.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2092	DSDPlus.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	DSDPlus.exe
2092	DSDPlus.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\DSD 2.457\DSDPlus.exe
"C:\Users\Admin\AppData\Local\Temp\DSD 2.457\DSDPlus.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-1-0x00000000779A6000-0x00000000779A8000-memory.dmp

Filesize
8KB

Download
memory/2092-4-0x0000000000401000-0x000000000044F000-memory.dmp

Filesize
312KB

Download
memory/2092-5-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-12-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-17-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-18-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-19-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-20-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-25-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-26-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-27-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-36-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-38-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-39-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-40-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-41-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-42-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-43-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2092-44-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download