b7477219089074d0a7c3b8700d94d325e859684ecd6275726cd70bb8587cc853 | Triage

Submit
Reports

Overview

overview

8

Static

static

1

8139a6d186...80.msi

windows7-x64

8

8139a6d186...80.msi

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

Target

11892726871.zip
Size

32.5MB
Sample

230920-kpn24afb9v
MD5

3010f3fc61b31fc115a74f5787dc979e
SHA1

088118f5fdbc9977a8c7099728195ed330cc4efe
SHA256

b7477219089074d0a7c3b8700d94d325e859684ecd6275726cd70bb8587cc853
SHA512

11b14d56e3a4179c8e7bcdb9821baa7d9c90a111a0411e8e6c276e8ab7c0617cb3b521cc92ab960b22c5bac8bb6c1444d2f32761d04e1856653c82ade15efd62
SSDEEP

786432:16pUU/nTG6wiiege6MjBKdHmFvPZhOqNEVuwj0:16pUf6lieg1dW3ZhOqkTo

Score

8^/10

bootkit evasion persistence trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

8139a6d186626514c2b05a2e2d44b4c7941ad8ce009a79c79919fddaa962b980.msi

Resource

win7-20230831-en

bootkit evasion persistence trojan vmprotect

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

8139a6d186626514c2b05a2e2d44b4c7941ad8ce009a79c79919fddaa962b980.msi

Resource

win10v2004-20230915-en

evasion persistence trojan vmprotect

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  8139a6d186626514c2b05a2e2d44b4c7941ad8ce009a79c79919fddaa962b980
- Size
  
  34.8MB
- MD5
  
  ef22331f4b057a97cf51fc6bf27f0d0c
- SHA1
  
  c72613236fe04033baacf49e6fbaa7a447bd2c6d
- SHA256
  
  8139a6d186626514c2b05a2e2d44b4c7941ad8ce009a79c79919fddaa962b980
- SHA512
  
  72a13bc0412ce78afc023d44197609961b5756e3b1e1c2ec6ea0c91598c41a9dd2fe3949c242d878ac5cbd700c95d61294d7f333aab3e06830c2ceabff9009bd
- SSDEEP
  
  786432:1eD9unb42u8sn6RtKBiLO61AojwkG17aFlx5IxOIeHiER:gJKVHKBFKAojq1GFa0W
Score

8^/10

bootkit evasion persistence trojan vmprotect
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitevasionpersistencetrojanvmprotect

behavioral2

evasionpersistencetrojanvmprotect

© 2018-2025

Terms | Privacy