Overview

overview

9

Static

static

malware_sfx_v2.exe

windows7_x64

8

malware_sfx_v2.exe

windows10_x64

9

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-04-2021 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    malware_sfx_v2.exe

  • Size

    11.7MB

  • MD5

    19c56bb998234db3b6ebfbe869ec04df

  • SHA1

    36c9ddc3204603890ee817c0d0f7fddafe4ed402

  • SHA256

    ce70da91a13434b7f62a55ed34607b1319599ebe502b65129d8b25888f68e4cf

  • SHA512

    d9dfc7a405fb40d055d8c3028add0ca436ec68aab154afb7ea86ce799266350313778f6d78dc17d6d915cea16d5a5daa56ff5c01814f3ece2922aa28eddb5343

Score
9/10
bootkitevasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 5 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\malware_sfx_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\malware_sfx_v2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\7zS017807D3\sample.exe
      .\sample.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS017807D3\Avira.OE.NativeCore.dll
    MD5

    698440a52cd5fa51844ec17298538696

    SHA1

    46e69add8b69e7e6613218ce8f8c3d56f4a6b47b

    SHA256

    bd0d915e4829658dc3de085ffa2cf7533b2b5335678b106307e55054a84891b3

    SHA512

    cb81110415a4231bac1e61df12cf8e2e8d166161210380980383399d640d2c7635ab512833aada6003ef2cfedad29dc5d52c1853b6eaf4281682361863a798ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7zS017807D3\MSVCP120.dll
    MD5

    46060c35f697281bc5e7337aee3722b1

    SHA1

    d0164c041707f297a73abb9ea854111953e99cf1

    SHA256

    2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848

    SHA512

    2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7zS017807D3\MSVCR120.dll
    MD5

    9c861c079dd81762b6c54e37597b7712

    SHA1

    62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

    SHA256

    ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

    SHA512

    3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7zS017807D3\sample.exe
    MD5

    8cbb75febfb4b0b7c3b6d3613386220c

    SHA1

    ba5493b08354aee85151b7bbd15150a1c3f03d1d

    SHA256

    f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a

    SHA512

    8cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7zS017807D3\sample.exe
    MD5

    8cbb75febfb4b0b7c3b6d3613386220c

    SHA1

    ba5493b08354aee85151b7bbd15150a1c3f03d1d

    SHA256

    f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a

    SHA512

    8cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\7zS017807D3\Avira.OE.NativeCore.dll
    MD5

    698440a52cd5fa51844ec17298538696

    SHA1

    46e69add8b69e7e6613218ce8f8c3d56f4a6b47b

    SHA256

    bd0d915e4829658dc3de085ffa2cf7533b2b5335678b106307e55054a84891b3

    SHA512

    cb81110415a4231bac1e61df12cf8e2e8d166161210380980383399d640d2c7635ab512833aada6003ef2cfedad29dc5d52c1853b6eaf4281682361863a798ba

    Download Submit
  • \Users\Admin\AppData\Local\Temp\7zS017807D3\msvcp120.dll
    MD5

    46060c35f697281bc5e7337aee3722b1

    SHA1

    d0164c041707f297a73abb9ea854111953e99cf1

    SHA256

    2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848

    SHA512

    2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\7zS017807D3\msvcr120.dll
    MD5

    9c861c079dd81762b6c54e37597b7712

    SHA1

    62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

    SHA256

    ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

    SHA512

    3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

    Download Submit
  • memory/420-114-0x0000000000000000-mapping.dmp
    Download
  • memory/420-123-0x0000000077300000-0x000000007748E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/420-124-0x00000000713E0000-0x0000000073705000-memory.dmp
    Filesize

    35.1MB

    Download
  • memory/420-125-0x00000000713E1000-0x000000007190A000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/420-126-0x0000000000A20000-0x0000000000B6A000-memory.dmp
    Filesize

    1.3MB

    Download