General
-
Target
e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2
-
Size
4.7MB
-
Sample
220715-2zsxgafhgk
-
MD5
b81617f91ae5dfc6ba926f807f908ec2
-
SHA1
569b4c96d628ac2fe57ba7851a28ff48eee19270
-
SHA256
e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2
-
SHA512
440220ad23d8313e8d59799bdc04c72b69e34831e9022f4897a4510556115912a295784baeeef82a17ab7ddedc5db41948e0722043eadff43a813d95fcd02545
Static task
static1
Malware Config
Targets
-
-
Target
e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2
-
Size
4.7MB
-
MD5
b81617f91ae5dfc6ba926f807f908ec2
-
SHA1
569b4c96d628ac2fe57ba7851a28ff48eee19270
-
SHA256
e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2
-
SHA512
440220ad23d8313e8d59799bdc04c72b69e34831e9022f4897a4510556115912a295784baeeef82a17ab7ddedc5db41948e0722043eadff43a813d95fcd02545
-
Modifies WinLogon for persistence
-
Modifies system executable filetype association
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Change Default File Association
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
5Bypass User Account Control
1Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1