Overview

overview

10

Static

static

7

bingdu/爱...ok.exe

windows7-x64

10

bingdu/爱...ok.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bingdu.rar

  • Size

    22.8MB

  • Sample

    230401-k7qzeaha99

  • MD5

    bb0f2e7ecdd15e53c93f08df97d46889

  • SHA1

    46ee82d3f613e0fe562d03ea96942b8fae17a8d2

  • SHA256

    9705b92cacffa01e2d883105e9f187ddc1249c27067834fbbb7c3687f3adcd8c

  • SHA512

    fef017511c7953206980bf4b8dcb4ffa855213b35be44fb9e12048cce087d3e73b3a5ba4303fdfd335dc07e45faf25d9e35f89b8e2ef04ffd8b1e6ea1f1112d4

  • SSDEEP

    393216:eF6gL4LYbp9pr5AUBfl+2ZOwFz6G1YZJSadBn8XHmCZDfq+jhSvLxqEiYAR:ekKsYb3pFAgPRwGaSmnhClq+MdqlzR

Score
10/10
bootkitevasionpersistencethemidatrojan

Malware Config

Targets

    • Target

      bingdu/爱比较抬棺_TMDprotected from thrretbook.exe

    • Size

      29.0MB

    • MD5

      d0cc7d1a14561d9a133ed12d4694fdeb

    • SHA1

      470e667842a11a6669ba075052c9c235db3aef2a

    • SHA256

      5929bd7cabc52719ff3a5a29ffc338def05771afe085fbf4fda3dacaadfa86cb

    • SHA512

      2079fe22587cd3fe626b124a1fe1ed73cee20e1773aee63eb263a8c2eaeb61d610d3a6c366875610cccfabc445d0ca99d4cbecf27d913a53584a22a26787fca5

    • SSDEEP

      786432:ahatI81fyQnJnJvvWiSVuKoWvy6UyXlOGFFa8i971/Oh6WHcVXdY:ahv+yQJJv+j7vCWaX7I8JK

    Score
    10/10
    bootkitevasionpersistencethemidatrojan

    • Modifies WinLogon for persistence

      persistence

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables cmd.exe use via registry modification

      evasion

    • Drops file in Drivers directory

    • Sets file execution options in registry

      persistence

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

3
T1060

Change Default File Association

1
T1042

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks