Overview

overview

9

Static

static

1.exe

windows7-x64

9

1.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    1.zip

  • Size

    6.2MB

  • Sample

    230109-m2nm7sdh72

  • MD5

    67bb29f20cbbccc71b3e090162b62c9a

  • SHA1

    ffe6536dce6665c128cca3ce792b9eef51437940

  • SHA256

    8c61ae1ec613ada2c000f4219e7fe33400c18e5e787c9762674cb45e81a23e3b

  • SHA512

    93768c3b220c5dddf057ee02373a93751e916c950a670eae68d2069dcd2a831a53f1d3e44560222f0bb281cf44a09c0fb07fc0965e2b92c20072312e8e6f130b

  • SSDEEP

    196608:bO2swrNGEE+Jjcj5Z5OKo89hwZpe1dOvoRAH:S0NXVqvwKo8LwyGvKAH

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Targets

    • Target

      1.exe

    • Size

      6.4MB

    • MD5

      1633a17d9fe1614e44ed2fd60ccbacdc

    • SHA1

      dd824c5db8f807366826998942d6710ac29121a8

    • SHA256

      a1d2f4f45a1807e61807649d05063aa1d77638e4f6995020c6ac84b48c0bff95

    • SHA512

      e303d1373ea9f7a0d35f6834a937e25c05c8552e55fd8c29de7670c2db4bf17a7af9476925ad3b820062d9b366213d47697db0101c224f87d4accafebb28b118

    • SSDEEP

      196608:ARnXFcNKaCYG6G3nKbZOGymJruTvwGe1Hm:+X6NzM6WneJOvwxJ

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks