General

  • Target

    43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

  • Size

    6.3MB

  • Sample

    220127-n9dzeaceh6

  • MD5

    7e80c2ae5587b824d8230e782089e86b

  • SHA1

    90f0912a29b9cc7a55bd4b561e1a574e005cecf6

  • SHA256

    43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

  • SHA512

    db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Malware Config

Targets

    • Target

      43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

    • Size

      6.3MB

    • MD5

      7e80c2ae5587b824d8230e782089e86b

    • SHA1

      90f0912a29b9cc7a55bd4b561e1a574e005cecf6

    • SHA256

      43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

    • SHA512

      db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

    • Modifies Windows Defender Real-time Protection settings

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks