Resubmissions

29-04-2022 12:47

220429-p1aq3aaea3 10

29-04-2022 12:27

220429-pmq6wsade7 9

29-04-2022 11:59

220429-n55assada2 9

General

  • Target

    fses09.ig

  • Size

    4.8MB

  • Sample

    220429-p1aq3aaea3

  • MD5

    128df60c1a391a1df118f59c23c8cf40

  • SHA1

    f19db46857534d6509460d671abb67e9df50df0b

  • SHA256

    b36104f19ed61faca68a6ecdf9e6a69c11c7502374d17b7b6b91895b2468e506

  • SHA512

    422425f6e6e886da43079dc8583d65df427b1b3dcfadf4fc37427035f5accc8d15cbedf6eb53bb34e0cfe04e5af6c816d70d9339daff88ca2183d4f05b9d5312

Malware Config

Targets

    • Target

      tAIpbmQIFr.aoc

    • Size

      8.3MB

    • MD5

      43ec1335c6942f75f1767145382f6f05

    • SHA1

      0a72d5292297baa68b4f6fb69a2dca4bff8a54f1

    • SHA256

      0facb1550bf9eb5393d10942c99f5171806927e5c221d8db33468287f16efa88

    • SHA512

      547f7db51f8281dc1f6e7ce17b1fc8b3d3b675fdfd59451b620d4e6f0708c62ce87e6836c3e981c5867396a05f7c14a27eaf12bcb1d4065a6b74d946886973a5

    • Registers COM server for autorun

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

4
T1060

Browser Extensions

1
T1176

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

6
T1112

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Tasks