General

  • Target

    0672f13398e67c43c7157c82ebc12bab.exe

  • Size

    1.3MB

  • Sample

    220120-x4dk5abcd6

  • MD5

    0672f13398e67c43c7157c82ebc12bab

  • SHA1

    7d0f4d5a05767f7ef534d7b05c72d5498918597d

  • SHA256

    93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

  • SHA512

    3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Malware Config

Targets

    • Target

      0672f13398e67c43c7157c82ebc12bab.exe

    • Size

      1.3MB

    • MD5

      0672f13398e67c43c7157c82ebc12bab

    • SHA1

      7d0f4d5a05767f7ef534d7b05c72d5498918597d

    • SHA256

      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

    • SHA512

      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

    • Modifies Windows Defender Real-time Protection settings

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks