General

  • Target

    Universal IPTV Scan v4.0.exe

  • Size

    43.8MB

  • Sample

    211020-qcr6waaaar

  • MD5

    edce1ea84d12ac07872fd79d7262813a

  • SHA1

    9dba59744e046dce48ec0c000f6f760f5ef1ad70

  • SHA256

    f5ae25bd25a164a53d9764e9f18822ba515517669ecea5b59edcaa7f055138a9

  • SHA512

    00a9d2a0477b8335ea77ffb4147fbdf365d98d19f1c343a9ae7ad177530df1b97e5d1b72c466fc85f9435cf87d7b66e711e96be0d132a3904789dc4586c04422

Malware Config

Targets

    • Target

      Universal IPTV Scan v4.0.exe

    • Size

      43.8MB

    • MD5

      edce1ea84d12ac07872fd79d7262813a

    • SHA1

      9dba59744e046dce48ec0c000f6f760f5ef1ad70

    • SHA256

      f5ae25bd25a164a53d9764e9f18822ba515517669ecea5b59edcaa7f055138a9

    • SHA512

      00a9d2a0477b8335ea77ffb4147fbdf365d98d19f1c343a9ae7ad177530df1b97e5d1b72c466fc85f9435cf87d7b66e711e96be0d132a3904789dc4586c04422

    • Modifies visiblity of hidden/system files in Explorer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Tasks