General
-
Target
COMPRO.SEDEX-5.f6IWDa8KAH6eFiEbOVtQ.zip
-
Size
125KB
-
Sample
210714-a8ep5emgbx
-
MD5
438cad50ddf281c804ed079e50bbfe4c
-
SHA1
28097bfc46b9311069bcfb4c00f3dada9ae6c413
-
SHA256
c74eddf5ac23f4861b1f6ff67ab1532fd82d403dc3754df3e4d7d36bd73e490f
-
SHA512
a9451609bc77bbf47fe30372c7ad165d453ad502699893f155815b52e93654d0ef692bb3d4170d3f6800e8f9b38e5252fc1f8907323fbd2cb7de6667d4abbec1
Behavioral task
behavioral1
Sample
COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG?.msi
Resource
win10v20210408
Malware Config
Targets
-
-
Target
COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG?.msi
-
Size
282KB
-
MD5
4c4b518cd235c9be37cd09c672f67a2f
-
SHA1
fd35655bb7e9555862cba72211baad18e3389872
-
SHA256
56629c6ce6d6975476fb7c10135882bafa55a04576e80d28cb8e0817e052e4d6
-
SHA512
e2c9e12ab2bb446e9650b95bfd5907f9fc7a37d2da4db8400ba5b2390968082030368825e21eb9334fc7ce81e92b2c4937ba569ac80d5c69af50f1f523e4c0a2
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-