0d9d5c831a3b7fa7488bdac603ae2831c2687e73f6a4c47eb976475b2db3432c | Triage

Sharing

General

Target

0d9d5c831a3b7fa7488bdac603ae2831c2687e73f6a4c47eb976475b2db3432c
Size

4.3MB
Sample

220524-2jtttsade8
MD5

49302b6e7322c4d43332764da154c265
SHA1

0a31920c37332ba69cf850e81c9e3f1600aede88
SHA256

0d9d5c831a3b7fa7488bdac603ae2831c2687e73f6a4c47eb976475b2db3432c
SHA512

1b14c817fed377bb8063737d75f6f8c131a150ab334ceb8359a7222b1a9ed0ff0d344a55dac54393c52492013073f0d03adff8f0bbd220e840cc1d4106385886

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Targets

- Target
  
  0d9d5c831a3b7fa7488bdac603ae2831c2687e73f6a4c47eb976475b2db3432c
- Size
  
  4.3MB
- MD5
  
  49302b6e7322c4d43332764da154c265
- SHA1
  
  0a31920c37332ba69cf850e81c9e3f1600aede88
- SHA256
  
  0d9d5c831a3b7fa7488bdac603ae2831c2687e73f6a4c47eb976475b2db3432c
- SHA512
  
  1b14c817fed377bb8063737d75f6f8c131a150ab334ceb8359a7222b1a9ed0ff0d344a55dac54393c52492013073f0d03adff8f0bbd220e840cc1d4106385886
Score

9^/10

bootkit evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitevasionpersistencetrojan

behavioral2

bootkitevasionpersistencetrojan