lumma | 0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2D0690.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3h82w.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2D0690.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2D0690.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3h82w.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3h82w.exe

Executes dropped EXE 2 IoCs

pid	Process
4928	2D0690.exe
316	3h82w.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	2D0690.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	3h82w.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4928	2D0690.exe
316	3h82w.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2240	4928	WerFault.exe	84
3516	4928	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2D0690.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3h82w.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4928	2D0690.exe
4928	2D0690.exe
316	3h82w.exe
316	3h82w.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 4928	760	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe	84
PID 760 wrote to memory of 4928	760	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe	84
PID 760 wrote to memory of 4928	760	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe	84
PID 760 wrote to memory of 316	760	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe	99
PID 760 wrote to memory of 316	760	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe	99
PID 760 wrote to memory of 316	760	0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe	99

C:\Users\Admin\AppData\Local\Temp\0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe
"C:\Users\Admin\AppData\Local\Temp\0aaf66f5831370bd7320db9fafe43bd25bbfecb770c1a7f669e0e2b0da83c776N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2D0690.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2D0690.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1568
    3⤵
    - Program crash
    PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1608
    3⤵
    - Program crash
    PID:3516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3h82w.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3h82w.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4928 -ip 4928
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4928 -ip 4928
1⤵
PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

2

Credential Access

Discovery

Query Registry

3

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

2