General

  • Target

    828e97849947eac4a9ca96aade810bc90564831d648a6b16c0c7902e465e6b74

  • Size

    2.4MB

  • Sample

    221129-hmgh5ahh3y

  • MD5

    a96ea6b5bcb88b58bc87a32c8b19d697

  • SHA1

    f1a1ac44bd43a65ff639cb9a29a1767c0b00fb70

  • SHA256

    828e97849947eac4a9ca96aade810bc90564831d648a6b16c0c7902e465e6b74

  • SHA512

    d9c68d36cc78307d9c0d0240c9eb462a07dee0512b4b058bba4f2fb8d3b42ca3beeeb75afe4ab62b273b98a6fe0ff82b9cccbb2af12e70d5068793c7f771b413

  • SSDEEP

    49152:ySeQ9AYKVtE3mpwz2lIu2/exeEFTOrP/IXxwE1fYrleo2/uMo:deeKVtHm0u/exeEFTOj/IXyAwleXo

Malware Config

Targets

    • Target

      ICONCH~1.EXE

    • Size

      1.1MB

    • MD5

      714fec58517cf8ec758106f9e92cb4cd

    • SHA1

      b1b03ba2dd2f94ce07b055854687fe5853324309

    • SHA256

      a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82

    • SHA512

      7eba6963e166e92992208587e11f20992f6166101708dee47282e405a393002266e098f6e7d2aade9c5edd6887c8192bf4eac3f5f797134beef334c81f459c3a

    • SSDEEP

      24576:2mQcUXo8ZwC+trY/dESAMtsYW3z6Hgc5OD+3zF3yiRFUh93AFI/eKwUoWHw:xw7vQrYVftPDOD8zg8Fw3iI/eRWQ

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      SERVER~1.EXE

    • Size

      1.8MB

    • MD5

      264df844abb71f9a049a52fe119a12d6

    • SHA1

      8fd1ff9fce8a02a4b5b434e67bd02d268ca0b955

    • SHA256

      dee0020e745a6bd0eb21c46136e9573502ec8e3e9f785a99f3a3a6936c53b7be

    • SHA512

      ac8c8faec9e7a311b14d30b4849ef725aa77d406c082078ca23c9415e2275fba30a58dcd2c0929bccece976b161d3bb006a3c91d916df8ad85d49cf4d3689300

    • SSDEEP

      49152:ZGR0ojUWvEtjD85JoQFbbKLT9f7B9BZW4Oj1:Zw00UaQDSJoQFXKLT9TB9Bw1

    Score
    7/10
    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Virtualization/Sandbox Evasion

1
T1497

Tasks