834f924e9cda25a052469f30da9f32f6966baf723afdc3d98ac41e6de9ae2610 | Triage

Sharing

General

Target

834f924e9cda25a052469f30da9f32f6966baf723afdc3d98ac41e6de9ae2610
Size

11.6MB
Sample

221124-ges2hsfd9z
MD5

610bc825d92d798e06b730e29db0b474
SHA1

1affbf78b364269b367237548842dc463088564a
SHA256

834f924e9cda25a052469f30da9f32f6966baf723afdc3d98ac41e6de9ae2610
SHA512

6dfe8b26202361d2f8e3fbcdc6c7e218559fed4b32da0730659a81df1ad8105432fbfbcd9713c54b37074019a9d77b849e08724886513c47ad51a0875624a866
SSDEEP

196608:Hh9zqWJlKxtPgAXXBapaFwA1sFf+NYESniPLEJtWDVG/dQ12gBECRG1Xa/Yf:Hh9zxEG0B3FwA18iHKwl1aDq/4

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Targets

- Target
  
  luokwgjyfz/西西单机游戏.url
- Size
  
  151B
- MD5
  
  0e86176b4bc94b9eb1a69e62ff7d662f
- SHA1
  
  402e7dc0c5afb8ce4a3fa8436a443752347f8000
- SHA256
  
  35db64621f578341c0fcfd92ecaf86a60a0f60f8fddb4cea902886542820c9df
- SHA512
  
  5f2786850d332889c18a5f6911fa995320a310fceded559c131c4b981ef989ed99df48c2d55b1daf325dcb0a5fa57d0a5de6457b9daeba1bc2fd5fe60aff2958
Score

1^/10
behavioral1 behavioral2
- Target
  
  luokwgjyfz/西西软件园_百度搜索.url
- Size
  
  206B
- MD5
  
  0a017936d46c03a7dde04813ccced0da
- SHA1
  
  ea63079b676c2c70d2d8f708f432aa87c6b52922
- SHA256
  
  75d652edc92941a4997a2fe96573aa37a13a587aeb9024638841b3a81170b8c5
- SHA512
  
  d14da50099e2e77e4a5ffba4932cd5ee8c75eeffba86d9e702453056a5173acc84757ca44a46da2bea0a3589500035f39a971cb7a3fd38685ee94be526b7fc3b
Score

1^/10
behavioral3 behavioral4
- Target
  
  luokwgjyfz/记忆ゞ神辅.exe
- Size
  
  10.5MB
- MD5
  
  fe5747fb7cb53fa02f9a83c1344a817d
- SHA1
  
  ca609fd11e4eb75011485e1aa9a06b962bd66a15
- SHA256
  
  efb77938fa94868cfc797dbbe02bfe42b685a45d370e47cf546f64ecdcbfc932
- SHA512
  
  0d7ff6bea905f60b7f56438386347d74539edfe3bc9cdb46741caf1b3f8b274fa3b026caf4523980434b30455753b793bddf1f3771460b94d083866c8048d4c6
- SSDEEP
  
  196608:Gty7LfsmVluDbdmYh0pf8/UGy98zv63h6FxQ9PgNgaDwGz1j3hakw:14muvdmYhUKHOg9N4Kok
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  setup_90000170.exe
- Size
  
  1.4MB
- MD5
  
  f34e66fb58d8cace441e9a6fdd9998aa
- SHA1
  
  4b719111844a8788ede32bfd0a93ee0ce1e7410f
- SHA256
  
  53e01b61ccf9868ab79aad471e84226b2090f8cba87fa0ec0fb487755e8c19d4
- SHA512
  
  4d4072ce78398252ae03591bf886ae8602c49dfc8dc33b31de279bde402714c2a91d38c2ec984077a9b67e4610ec9dea213dc02d381382721c2ea42ae6dc9ab0
- SSDEEP
  
  24576:+CgIYG5yhyeFZGi9LEoXjpANX4JzOi30lZl8nNyUcyqWWaDwKbTI1yQEKo9gt6K:tYWyhyeF0i9LEoXjMI07+cybWeY1yQE6
Score

7^/10

bootkit persistence
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

bootkitpersistence

behavioral8