General

  • Target

    dca68095317df735cbaac8724a3d4af4aa504d1b58e30699388b67ec44a0e5b8

  • Size

    3.3MB

  • Sample

    220120-j8as5shaal

  • MD5

    a997db4429053e504cd9d4afaab825cd

  • SHA1

    c0f15b9aaf8876619b9dbe08e429a024d646b867

  • SHA256

    dca68095317df735cbaac8724a3d4af4aa504d1b58e30699388b67ec44a0e5b8

  • SHA512

    84bf29ec7b74577c801507d2f08de15b64d3940650067f12a9433924305fa4741593e08b91cb75100c39590f769a9c63b7c3d14faaf9c8d675de35b1a7636117

Malware Config

Targets

    • Target

      dca68095317df735cbaac8724a3d4af4aa504d1b58e30699388b67ec44a0e5b8

    • Size

      3.3MB

    • MD5

      a997db4429053e504cd9d4afaab825cd

    • SHA1

      c0f15b9aaf8876619b9dbe08e429a024d646b867

    • SHA256

      dca68095317df735cbaac8724a3d4af4aa504d1b58e30699388b67ec44a0e5b8

    • SHA512

      84bf29ec7b74577c801507d2f08de15b64d3940650067f12a9433924305fa4741593e08b91cb75100c39590f769a9c63b7c3d14faaf9c8d675de35b1a7636117

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Tasks