Overview

overview

9

Static

static

8

COMPRO.SED...G?.msi

windows10_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    COMPRO.SEDEX-5.f6IWDa8KAH6eFiEbOVtQ.zip

  • Size

    125KB

  • Sample

    210714-a8ep5emgbx

  • MD5

    438cad50ddf281c804ed079e50bbfe4c

  • SHA1

    28097bfc46b9311069bcfb4c00f3dada9ae6c413

  • SHA256

    c74eddf5ac23f4861b1f6ff67ab1532fd82d403dc3754df3e4d7d36bd73e490f

  • SHA512

    a9451609bc77bbf47fe30372c7ad165d453ad502699893f155815b52e93654d0ef692bb3d4170d3f6800e8f9b38e5252fc1f8907323fbd2cb7de6667d4abbec1

Score
9/10
bootkitevasionmacropersistencethemidatrojanxlm

Malware Config

Targets

    • Target

      COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG?.msi

    • Size

      282KB

    • MD5

      4c4b518cd235c9be37cd09c672f67a2f

    • SHA1

      fd35655bb7e9555862cba72211baad18e3389872

    • SHA256

      56629c6ce6d6975476fb7c10135882bafa55a04576e80d28cb8e0817e052e4d6

    • SHA512

      e2c9e12ab2bb446e9650b95bfd5907f9fc7a37d2da4db8400ba5b2390968082030368825e21eb9334fc7ce81e92b2c4937ba569ac80d5c69af50f1f523e4c0a2

    Score
    9/10
    bootkitevasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks