Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

696e48d60a98aab9ec0fc467950d0616975ad98d44f6116b92c54ab924e52647.exe
Size

52MB
Sample

230327-zjnxgafb77
MD5

73965b6a3e26c56516795057cd50c939
SHA1

c4988ce436fb9e6affe936560a594ab203352126
SHA256

696e48d60a98aab9ec0fc467950d0616975ad98d44f6116b92c54ab924e52647
SHA512

d90f19e795102029bcad0af84a4395e5b90a4249bebc9c45a35327bf886e04aab91ec314088960d2f5657fd3dba56e621c6c4d2ecb72a83f5612638797cb41f1
SSDEEP

786432:k5pflJ4gHxP/Xwt8UNnk2eQsYmGkRbVmptvOXLERk8m4FeGFaecoVBV:kzf7tw7k2iGKkZOoRdmQeGAecyX

Score

9^/10

Malware Config

Targets

- Target
  
  696e48d60a98aab9ec0fc467950d0616975ad98d44f6116b92c54ab924e52647.exe
- Size
  
  52MB
- MD5
  
  73965b6a3e26c56516795057cd50c939
- SHA1
  
  c4988ce436fb9e6affe936560a594ab203352126
- SHA256
  
  696e48d60a98aab9ec0fc467950d0616975ad98d44f6116b92c54ab924e52647
- SHA512
  
  d90f19e795102029bcad0af84a4395e5b90a4249bebc9c45a35327bf886e04aab91ec314088960d2f5657fd3dba56e621c6c4d2ecb72a83f5612638797cb41f1
- SSDEEP
  
  786432:k5pflJ4gHxP/Xwt8UNnk2eQsYmGkRbVmptvOXLERk8m4FeGFaecoVBV:kzf7tw7k2iGKkZOoRdmQeGAecyX
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Web Service

T1102

Virtualization/Sandbox Evasion

T1497

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Command-Line Interface

T1059

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

T1053

Bootkit

T1067

Privilege Escalation

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Drops file in Drivers directory

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2