Overview

overview

10

Static

static

d2893dc916...f8.exe

windows7-x64

1

d2893dc916...f8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2893dc91636ece225e8b561e13064424e36114966b1e64a98660589226799f8.zip

  • Size

    58KB

  • Sample

    220910-w9w4zsaeb5

  • MD5

    2d794191c90bc88628d471e99d15fa28

  • SHA1

    695f517c2ff5087bddba79bea719ef746198eabe

  • SHA256

    0cb1195f577217350b7f9c46f26a3ba1f96e27a48b987aa7951e262e9524c011

  • SHA512

    0c35df7f455b6b20425e90e0d4acf1c57209b8207465eab623c71f4d0d573d9e223c55cc0efc7d34a955f6a672f5c563b25ae8e58fd255abedcce91df0ba200e

  • SSDEEP

    1536:Q/x219qrrFDNh9Ae2EOMiITs60ZF05nz1ww38i:uxU9cV7C60Z+zRH

Score
10/10
discoveryevasionexploitthemidatrojan

Malware Config

Targets

    • Target

      d2893dc91636ece225e8b561e13064424e36114966b1e64a98660589226799f8

    • Size

      116KB

    • MD5

      7b5d3626aa3a0f09acf476d11f4ea1f6

    • SHA1

      a9d58d4c8bc666699f14cd81cf098e871619434e

    • SHA256

      d2893dc91636ece225e8b561e13064424e36114966b1e64a98660589226799f8

    • SHA512

      0f580ce34d3051c5d8a646101e4ee28d8825c17e60697d8f7792f639661bd34f65a6b69efdbccec907b08454e93dd5c390ff081c30a503efd2e9aa2a0ffb871b

    • SSDEEP

      1536:vmpMxq1J9Nda2yCyje83YY9Yrt9A5bXXRKUsWqfd09dlhJSqj:Txq1rN5fyn3Tirt9WDB01MHJSq

    Score
    10/10
    discoveryevasionexploitthemidatrojan

    • Modifies security service

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

2
T1497

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks