General

  • Target

    Vape Lite.exe

  • Size

    13.7MB

  • Sample

    230128-y18grsgb92

  • MD5

    5e2d657a39c8a243c6d781f20f98f38f

  • SHA1

    4088ae74ad0a22a7640bfe74e0f53479e555cbf0

  • SHA256

    2b2071a6b8b552691034efe266ccc13cb72ca20fc25ef4347b748a7cc02e88ad

  • SHA512

    d0fda8495bf027b48cc3afd26a6efd47135a7712f4cbc5d372bb01216a7e9064ab8fb924abb3b6386ee23a165824194c8e4b76ef31d3288712af227daddfd3c3

  • SSDEEP

    393216:fpNdNeyLeQ+gPYxto0eba2gtgebkkC7E:fdQyaQJPY/ca26gebME

Malware Config

Targets

    • Target

      Vape Lite.exe

    • Size

      13.7MB

    • MD5

      5e2d657a39c8a243c6d781f20f98f38f

    • SHA1

      4088ae74ad0a22a7640bfe74e0f53479e555cbf0

    • SHA256

      2b2071a6b8b552691034efe266ccc13cb72ca20fc25ef4347b748a7cc02e88ad

    • SHA512

      d0fda8495bf027b48cc3afd26a6efd47135a7712f4cbc5d372bb01216a7e9064ab8fb924abb3b6386ee23a165824194c8e4b76ef31d3288712af227daddfd3c3

    • SSDEEP

      393216:fpNdNeyLeQ+gPYxto0eba2gtgebkkC7E:fdQyaQJPY/ca26gebME

    • Modifies security service

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Impact

Service Stop

1
T1489

Tasks