63daa075e81592f7980f96d08ca80b0d6c8f835de1ddc8681565043c3dc871df | Triage

Sharing

General

Target

setup_x64.zip
Size

5.2MB
Sample

230316-a8869sgb75
MD5

8be0a5bbf729e0bc6f5fbc87c186a541
SHA1

cecdfdc4ef75e0986dfbf30e891f81912ccdb33a
SHA256

63daa075e81592f7980f96d08ca80b0d6c8f835de1ddc8681565043c3dc871df
SHA512

a404d761eb6542a8bced841b5b6271e1b52954058b9a76cec049d3a5e0ed98b1709737992d0026a26ee7004e686415638c84d3fa359ace4ceea0a678fd028ecd
SSDEEP

98304:aHIHmIjbRPxAO2MXzEyXRfdt7rH3OLHSeJyWLoLkxGXU/RwTDnmXUeW2v:aoGuxxAO2MDEyXrtPFH4xGXEwPTW

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Targets

- Target
  
  setup.exe
- Size
  
  5.4MB
- MD5
  
  e6ea101f6b54bdad1b08749e298aff4d
- SHA1
  
  a9893f6f54b09f6e027d1d57ccaa337ab5437509
- SHA256
  
  933d3a8d9e9de04ac5a6461f70d01cfa5aafe1aa91d9e0a9549c0dd9934e46d7
- SHA512
  
  12367448815c1d2dd55448370d038c420d1fee0b7a796c0ee598fdeb21d38a11492a614d412edc36f4a36f5ec36732c273f6fd2a7d6a611cf6cd19fc787186ea
- SSDEEP
  
  98304:Gf0zekP19unpe6M/TTmTUYpjo6ORHkUtFOtat9TV/+Yu:R1jmpjoBJKYpi
Score

9^/10

bootkit evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  setupapi.dll
- Size
  
  4.5MB
- MD5
  
  a2d16ec8a9c7e90bb39869372b482aff
- SHA1
  
  559944e259019493f3b7a68ee9d3d80efe3be0c6
- SHA256
  
  6f898b40fb49d1ae7f4bdb737ebd891c7019575f6700a63ea14d7bad4cf609ff
- SHA512
  
  b9ec3cddf5aa76ee8f9ea3c18ab66b8bf8dd860440eb791995b9f86aeadcbf5ab1b9e5e1cdb58d29a6ecc02212bce64201c1657f11f0acbe01cf73be6e7de0ea
- SSDEEP
  
  49152:lJZ7dS3oCGBDDkPOpxATxM40gaY/TQ3SDJ2oGW8IdctHle7M4HP1YUKIT+NuXVRJ:ljtfnATxBBU3SDJpTOuXVRWxS5F
Score

5^/10
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  verifier.dll
- Size
  
  386KB
- MD5
  
  adf0f2f7ab69b71e73895fd23949b318
- SHA1
  
  ffd20ff94c647d49513d0abb24415e3d72c6babf
- SHA256
  
  c1228eb181ac5fc2b6f8404404d6c5e04d78d7c85c4502d1453ead4616f21a28
- SHA512
  
  38424bb115151a47babd7a19e0fd48cc208609bfbf57b63430eaa1cd1aaca08247ae88de056c244bda172e648359d8fc3de98d0d379b3c4b0f34db4567d35b4d
- SSDEEP
  
  3072:40j7r+nepRUtySYKWxZRjPYas35zrdbqK4n3tZXUi928Fh5wYFQxV3Zsd8TUnIXT:Bv62RyySYFZFgaSN9Q9ZXUgh5VMnL
Score

1^/10
behavioral5 behavioral6
- Target
  
  version.dll
- Size
  
  30KB
- MD5
  
  17c1e1099b65051bb6dec71fea37315b
- SHA1
  
  8ed26469afbd53da7749ef9c6ab8c7f010e9bb1e
- SHA256
  
  e549d528fee40208df2dd911c2d96b29d02df7bef9b30c93285f4a2f3e1ad5b0
- SHA512
  
  e5274c47786f14c4275307c80d0eca48797267d32b069aed30993e571ead0289652e1254bd2ecabef3b2bc2039504e156ed2eae9c2c280b31034fa457a32ea79
- SSDEEP
  
  768:FrAO9YmckVPxIiTAqMwwyg2ulzxAfv5r6wD1Pe3pU:FrnYmckVPxIiTAqMwm2ulzxAfv1Pe6
Score

3^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitevasionpersistencetrojan

behavioral2

bootkitevasionpersistencetrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8