General

  • Target

    ef5e78ad7c42dba12eef9f71313f40751e9f8b82428968b4ab0684c0d5c63da9

  • Size

    8.6MB

  • Sample

    220521-ntqy2ahcak

  • MD5

    e0e71653d125295cf1348257beba044a

  • SHA1

    a69734fa7ce3e67a1500c702d1ea606baa4358ee

  • SHA256

    ef5e78ad7c42dba12eef9f71313f40751e9f8b82428968b4ab0684c0d5c63da9

  • SHA512

    603afccb5f2644b18eabb705ecf816571f5214896d0b2988aa22743a37fe8419b9bb66ae7e0c011074ba30137fde1e068b0f956c70a3e3083480a2a0c956f4fd

Malware Config

Targets

    • Target

      ef5e78ad7c42dba12eef9f71313f40751e9f8b82428968b4ab0684c0d5c63da9

    • Size

      8.6MB

    • MD5

      e0e71653d125295cf1348257beba044a

    • SHA1

      a69734fa7ce3e67a1500c702d1ea606baa4358ee

    • SHA256

      ef5e78ad7c42dba12eef9f71313f40751e9f8b82428968b4ab0684c0d5c63da9

    • SHA512

      603afccb5f2644b18eabb705ecf816571f5214896d0b2988aa22743a37fe8419b9bb66ae7e0c011074ba30137fde1e068b0f956c70a3e3083480a2a0c956f4fd

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Tasks