Overview

overview

8

Static

static

8

GameHardware.exe

windows7_x64

8

GameHardware.exe

windows10-2004_x64

8

IP地址修改器.exe

windows7_x64

3

IP地址修改器.exe

windows10-2004_x64

3

VMwarehardware.exe

windows7_x64

8

VMwarehardware.exe

windows10-2004_x64

8

hardware.exe

windows7_x64

8

hardware.exe

windows10-2004_x64

8

一键修....exe

windows7_x64

7

一键修....exe

windows10-2004_x64

7

分区序....exe

windows7_x64

1

分区序....exe

windows10-2004_x64

1

网卡MAC....exe

windows7_x64

1

网卡MAC....exe

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3356559202bc774b2201346dcbfea6dadfd8b256288a8e0d7a8f7da120030fcb

  • Size

    12.8MB

  • Sample

    220520-fkqb5sdfer

  • MD5

    239bf3b156c534745d584ad8cf02e5b0

  • SHA1

    afa276ce42be4be7195e151370d3bf338acb437f

  • SHA256

    3356559202bc774b2201346dcbfea6dadfd8b256288a8e0d7a8f7da120030fcb

  • SHA512

    c9d5c44e7fbc8771547edb2d5a00495a06731768d4d463937de7699c8beeff4b4a39552ef52d741658eda230fc867bb882a0dc0221149dccbbaad294e193b58e

Score
8/10
bootkitpersistencevmprotect

Malware Config

Targets

    • Target

      GameHardware.exe

    • Size

      3.0MB

    • MD5

      2f9c82f0f68238e9119e58522a7edbdd

    • SHA1

      de538ef85d65ae879bb54f0c359320c04d3f1c1b

    • SHA256

      48268e44f32fbb789e29a02aa6dde585b9b9139f37a9a06be2140edb145a7118

    • SHA512

      1e2584082b47a7bc07ad93906ea43cf9c497676373ef90d68a7357be4ace38f66db453d647baba48bec6d88211ef22ce685cefad96b1eb5423a95de320c08444

    Score
    8/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      IP地址修改器.exe

    • Size

      1.7MB

    • MD5

      243458530a7047c32c6a2cce3f8ed14f

    • SHA1

      68404c80fc17aa5a078afdfcd230a51ffffa1000

    • SHA256

      54d667dd1661820e6ef9d8d3e6409ab63d9ed720aae2c574b827495fcb215570

    • SHA512

      d57ab9290ffb1a097714f24b44b94067e64dd59b6514e880f3248247ad310c7fb7b1d6c0e7451bd56c9e3b9fde0d1f04db22c5fa7279002093b06aabd0bc8957

    Score
    3/10
    behavioral3behavioral4

    • Target

      VMwarehardware.exe

    • Size

      3.6MB

    • MD5

      f7f54b4990122d9befde831905fd5955

    • SHA1

      81622ef7179128f8f5f59ba21df8efdf56f902d2

    • SHA256

      03568cf423fd658b3799b3cd687e4d537f3788bec138352c252434ef8fc041bd

    • SHA512

      67d80ea11116a34ed3d5dbe2a6bda0a6f6932b18db5fcf9d57a6db1b6342a5de5bffa0d0b8e40b04d84d8c11c56ae0706ceddd1d248368af1f796f3e70232d1a

    Score
    8/10
    bootkitpersistencevmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      hardware.exe

    • Size

      3.8MB

    • MD5

      3ab55ffcb2a3e5ed6736ee140b2517cd

    • SHA1

      1a0ee95472512823db3874f459a4f4af60c93de8

    • SHA256

      fdc567520e5d5c3e1f992758fdc8088930a7e719938d38f59c4cb6f9a4bb971d

    • SHA512

      17dab96c1090cab014562a23cf4b99500a824a1a2fbf6ab97c25e3edef296472cf6f3e5201aa2f5675210c6a7adfa33320b25974498f464582e29635b9d2df04

    Score
    8/10
    bootkitpersistencevmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      一键修改系统信息.exe

    • Size

      1.7MB

    • MD5

      0692e1b606617ee36a5bff5a919bac66

    • SHA1

      aa29d6e9049c125084c8b78c6f816a5ffaed0bee

    • SHA256

      a114ea8d11c12e66d1fb2ddd31ce91aa24ec9355dc6b3ab3fe2840cdf6a3f96b

    • SHA512

      b45a6438d7bc3039520bcc3abd97530fd776036e1b5756117fc3dfaa980bc7633adaea0b61c173e3a066083f7d4522a89d782c14a56eb5349920b68407773deb

    Score
    7/10

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral9behavioral10

    • Target

      分区序列号修改工具.exe

    • Size

      1.6MB

    • MD5

      99c050ee7f450fd6d0ed540b8ef8cc68

    • SHA1

      17224a94dfe9138ac32fa130769c146428816b2c

    • SHA256

      f9e32b5632bfbf591c8f8a078cb61ada43a1799d3fa16ceda08e707a0533b7ff

    • SHA512

      86eaa30f1c41b2aa114483f44c497df58254716905491457b67343627a14fa71e33178a0922355f74e44fc3bf25cecd53f0186596234c8338684c620841b29aa

    Score
    1/10
    behavioral11behavioral12

    • Target

      网卡MAC地址修改工具.exe

    • Size

      1.6MB

    • MD5

      7f03dab4be2e7266d2215e31fbaf6ecb

    • SHA1

      25a9b47938064cafcf3d69c16891fc4f0fdf64f3

    • SHA256

      10985ec327572de432bf0cb3e340ba76cb63479863f28b6c3219d2f42df765b1

    • SHA512

      257fc2ef093b56c8c72e61d98c745b76dce84be602c72e857e0cdce27d973c44e92130cd675a0e1ce34f9a605939cb4898cb6f00c4f543203e0e80188f2eea6e

    Score
    1/10
    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

2
T1067

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

9
T1082

Query Registry

5
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks