3CX Supply Chain Blue Team Lab

Hello Everyone Nice Lab in Threat intel and a nice example for the supply chain so here we go

1-We Will use the lovely Tool VirusTotal But use hash only :)

when upload the hash and a quick view in Details we can easily detect that there is two version of 3CX

2- In the history we can detect the creation date of the malware

3- For Excutable Dll We Will look for Relation Section

4- Dll Side Loading

5- We can Easily Detect That it is Trojan

6-virtualization/sandbox is also in the behaviour

7 - I Think reading this is better

Virtualization/Sandbox Evasion, Technique T1497 - Enterprise | MITRE ATT&CK®attack.mitre.org

Simply it is VMWARE

8- Detect The encryption Technique

9- Know The apt Name