Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b
Size

1MB
Sample

220117-tgjl3sbad3
MD5

acabd1f99b9e449d951dea975e1f1ad5
SHA1

ef545ca153737d6246be2cd3de1b26fb92241327
SHA256

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b
SHA512

e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Score

10^/10

Malware Config

Targets

- Target
  
  63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b
- Size
  
  1MB
- MD5
  
  acabd1f99b9e449d951dea975e1f1ad5
- SHA1
  
  ef545ca153737d6246be2cd3de1b26fb92241327
- SHA256
  
  63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b
- SHA512
  
  e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1
Score

10^/10

evasion persistence themida trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Tasks

static1

themida

Score

7^/10

behavioral1

evasionpersistencethemidatrojanupx

Score

10^/10

Sharing

General

Malware Config

Targets

Modifies Windows Defender Real-time Protection settings

Suspicious use of NtCreateProcessExOtherParentProcess

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks BIOS information in registry

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1