8 Cores.msi

General
Target

8 Cores.msi

Size

319KB

Sample

220116-wnja1afha2

Score
10 /10
MD5

6047ee1af2d30ef7db95fabb788ec9f9

SHA1

2731a77f03f97aa03adcd2c7c6f4342d2fd1d515

SHA256

b3f5506d672e2ea0564c52413f1f8847c569542d2cd475937c6f21a443292728

SHA512

7d8de10cdf4399692da6b7e80c96d865ffc891292e1bf16adaf663f2cf087802ae61bde15057a9aa7c82d6dbd0930e623c3a4c947502c5c1129bbc66d8aa03e8

Malware Config
Targets
Target

8 Cores.msi

MD5

6047ee1af2d30ef7db95fabb788ec9f9

Filesize

319KB

Score
10/10
SHA1

2731a77f03f97aa03adcd2c7c6f4342d2fd1d515

SHA256

b3f5506d672e2ea0564c52413f1f8847c569542d2cd475937c6f21a443292728

SHA512

7d8de10cdf4399692da6b7e80c96d865ffc891292e1bf16adaf663f2cf087802ae61bde15057a9aa7c82d6dbd0930e623c3a4c947502c5c1129bbc66d8aa03e8

Tags

Signatures

  • Registers COM server for autorun

    Tags

    TTPs

    Registry Run Keys / Startup Folder
  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE

  • Sets file execution options in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    6/10

                    behavioral2

                    10/10