General

  • Target

    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

  • Size

    3.2MB

  • Sample

    220116-jnzxjafcf4

  • MD5

    978b7f1dba9746c29ac4b61bc219bd7b

  • SHA1

    f498e5ebf211bace3e027a1596edfdcf7900317c

  • SHA256

    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

  • SHA512

    dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

Malware Config

Targets

    • Target

      e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

    • Size

      3.2MB

    • MD5

      978b7f1dba9746c29ac4b61bc219bd7b

    • SHA1

      f498e5ebf211bace3e027a1596edfdcf7900317c

    • SHA256

      e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

    • SHA512

      dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Tasks