Overview

overview

10

Static

static

663698248f...ef.exe

windows7-x64

10

663698248f...ef.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

  • Size

    3.9MB

  • Sample

    221126-1ata9sfa65

  • MD5

    fd27fec87ff61b77b815fc3d6b77a9c4

  • SHA1

    9a250fa16fa7a00dfa01e1384d00d902df71fcd6

  • SHA256

    663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

  • SHA512

    f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

  • SSDEEP

    98304:SyIyGXk/2gPQDUEJ7qw7P8fpmr5GPInWXh+nboj3aVA:myG0/2KyDH7kfpo5GrXh+nbY3v

Score
10/10
bootkitevasionpersistencespywarestealerthemidatrojan

Malware Config

Targets

    • Target

      663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

    • Size

      3.9MB

    • MD5

      fd27fec87ff61b77b815fc3d6b77a9c4

    • SHA1

      9a250fa16fa7a00dfa01e1384d00d902df71fcd6

    • SHA256

      663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

    • SHA512

      f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

    • SSDEEP

      98304:SyIyGXk/2gPQDUEJ7qw7P8fpmr5GPInWXh+nboj3aVA:myG0/2KyDH7kfpo5GrXh+nbY3v

    Score
    10/10
    bootkitevasionpersistencespywarestealerthemidatrojan

    • UAC bypass

      evasiontrojan

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Drops file in Drivers directory

    • Sets file execution options in registry

      persistence

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Bootkit

1
T1067

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

Security Software Discovery

1
T1063

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks