Overview

overview

10

Static

static

3

xSpoofer-R....0.rar

windows10-2004-x64

7

xSpoofer-R...ys.txt

windows10-2004-x64

1

xSpoofer-R...N8rnm5

windows10-2004-x64

1

xSpoofer-R...or.bat

windows10-2004-x64

9

xSpoofer-R...er.bat

windows10-2004-x64

1

xSpoofer-R...os.bat

windows10-2004-x64

1

xSpoofer-R...23.zip

windows10-2004-x64

1

install_all.bat

windows10-2004-x64

7

vcredist2005_x64.exe

windows10-2004-x64

7

vcredist2005_x86.exe

windows10-2004-x64

7

vcredist2008_x64.exe

windows10-2004-x64

7

vcredist2008_x86.exe

windows10-2004-x64

7

vcredist2010_x64.exe

windows10-2004-x64

7

vcredist2010_x86.exe

windows10-2004-x64

7

vcredist2012_x64.exe

windows10-2004-x64

7

vcredist2012_x86.exe

windows10-2004-x64

7

vcredist2013_x64.exe

windows10-2004-x64

7

vcredist2013_x86.exe

windows10-2004-x64

7

vcredist20...64.exe

windows10-2004-x64

7

vcredist20...86.exe

windows10-2004-x64

7

xSpoofer-R...��.txt

windows10-2004-x64

1

xSpoofer-R...up.exe

windows10-2004-x64

7

xSpoofer-R...up.exe

windows10-2004-x64

7

xSpoofer-R...an.bat

windows10-2004-x64

1

xSpoofer-R...ew.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xSpoofer-ReleaseNew2.0.rar

  • Size

    109.0MB

  • Sample

    240401-mpqxsscg56

  • MD5

    e0fc7329333f0e0fbd254da085ca2ad8

  • SHA1

    bd008308529302f301964c2ad03704eb65fa4db7

  • SHA256

    37cfc128f60c2c2ede7ffb2db6b9873480e53ecac6184334a2308df477b65be6

  • SHA512

    c84da0c51fcbe07b359284c7b7b0b30220f22fccef14ccdb92954f180b224e8e14afe32e3325167db6f361eb147773c8f90f4093f5428f71675e5d37062f7b06

  • SSDEEP

    3145728:bA7F7pGxl3ksxWz/tqiTFgPEK2H5fyK3OqD9Tmcb2LvEBATd79sY:bA7Z4hxWz/oiBgPEK2veETmcywBKdRsY

Score
10/10
xwormdiscoveryevasionpersistenceransomwareratthemidatrojan

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      xSpoofer-ReleaseNew2.0.rar

    • Size

      109.0MB

    • MD5

      e0fc7329333f0e0fbd254da085ca2ad8

    • SHA1

      bd008308529302f301964c2ad03704eb65fa4db7

    • SHA256

      37cfc128f60c2c2ede7ffb2db6b9873480e53ecac6184334a2308df477b65be6

    • SHA512

      c84da0c51fcbe07b359284c7b7b0b30220f22fccef14ccdb92954f180b224e8e14afe32e3325167db6f361eb147773c8f90f4093f5428f71675e5d37062f7b06

    • SSDEEP

      3145728:bA7F7pGxl3ksxWz/tqiTFgPEK2H5fyK3OqD9Tmcb2LvEBATd79sY:bA7Z4hxWz/oiBgPEK2veETmcywBKdRsY

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1

    • Target

      xSpoofer-ReleaseNew2.0/keys.txt

    • Size

      41B

    • MD5

      f730357cc3276e5383ad7e30b3fc9102

    • SHA1

      c41c012f437cf04b14e8b40724406c153fadb31d

    • SHA256

      6ebd3812c5f2355a3b521b226c0d6111b23f4d61666e4e10b989e64d4dfc0c86

    • SHA512

      ca6de19999243f968038dfb9b0aafa81636ff1655e0c0442fae1c26122830d44ba5f8f6a088cfb2464f77c88ed15a6ea20138e4bf4038b33e65aa82dfb87ba9d

    Score
    1/10
    behavioral2

    • Target

      xSpoofer-ReleaseNew2.0/rjN8rnm5

    • Size

      41B

    • MD5

      9eab77cb455ac5af5ee33f2b58b87c5e

    • SHA1

      8746ced0cdcc6ccc9ced7f76d602f2099ec498ad

    • SHA256

      18fc489631a79742394ea3c099b55b1fc02f707b8d6b306c3156a1614963c222

    • SHA512

      28ecfe4f2df01ee29793522a6882a1644c311a716468549698f5b769b4942399f79ee3c45152f4c780391fff5b2f7cab68df32ff1c4bdd344249d52adfe40e28

    Score
    1/10
    behavioral3

    • Target

      xSpoofer-ReleaseNew2.0/tools/Fix - Windows 11/1.FixError.bat

    • Size

      439B

    • MD5

      1006ae20bb307cb1cba3d9704c0bf7cb

    • SHA1

      8815859c81434941102d8886107b44644e7e9591

    • SHA256

      66398f202427e20fc182859c4e21cdcd3b83e7f6412ee2b121a9d109d3d97f03

    • SHA512

      36b7249b2e7f0ea958c5b9271457577718f08bcebf5756fa9eba9a1d783b0f508e0d37ebbe4c62dfd365f0171d1e3e259614f6f4bf3105d655df7ab8e9d0a446

    Score
    9/10
    evasionransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral4

    • Target

      xSpoofer-ReleaseNew2.0/tools/Fix - Windows 11/2.FixDriver.bat

    • Size

      317B

    • MD5

      ff370c638e689c78896880418dbb80d6

    • SHA1

      61180afeb4d5d5e48068fa0d7adbb1822b11769d

    • SHA256

      ada8d5dfe251b0fa0760d9c0d8d1733919c6d072730d49f394fcaf44c0221353

    • SHA512

      842d096eb5f1897d1970c66850231e2457c9e97433cee73ba3c59691f6379209af89260decf168d4edbcb7ed2edd425dc89b959aebd6cbb03fcc766ddfef6ff1

    Score
    1/10
    behavioral5

    • Target

      xSpoofer-ReleaseNew2.0/tools/Fix - Windows 11/3.FixBios.bat

    • Size

      442B

    • MD5

      0bf665e58712ce11dd65007f89fcb0f0

    • SHA1

      a1f49dc613257d434cb54ad13abec51b3f9fb35d

    • SHA256

      1ac5ba24ca20bea659b8fa7bfb7c75a2b8c86d46ba9e84c131ddab86f6999f4e

    • SHA512

      152de4404688ce82a245dd7df79226eb4b2f3aef9d4acb50559169f1fcf07ce39e02493f8e6ad285c2a80a5b124745650c5f2286be254b81cfdd164f6b2e07f6

    Score
    1/10
    behavioral6

    • Target

      xSpoofer-ReleaseNew2.0/tools/Visual C++/Visual-C-Runtimes-All-in-One-May-2023.zip

    • Size

      95.3MB

    • MD5

      0e143f6074d17a029b13809f71061f9c

    • SHA1

      e823a0d21624643c4381b171d14861e4fc2a1dfd

    • SHA256

      305d700b8e6526149f31864c70529304494584ae1d2b68d271b1bfec9b351def

    • SHA512

      9cab9965a843b3e9fd7fe394e3c94cf2d0ca7103e8be7dd5cc1827dbfbaeb105a4567cf62ed8cc875b157f2a54c69f1b93261c4aeb9fcc366b9b54bd8845ec7e

    • SSDEEP

      1572864:NcF7pGAfV8om32ZiGPwPxWfIi5/tqiTqy/sn8pgNZCkz2H5fyJ83DiHHqDZpbhTT:uF7pGxl3ksxWz/tqiTFgPEK2H5fyK3Oa

    Score
    1/10
    behavioral7

    • Target

      install_all.bat

    • Size

      1KB

    • MD5

      eb55aae630088c91b88d2bfae4115ea0

    • SHA1

      1495c69946edca474fe30c2b713aacb9f03bbf3a

    • SHA256

      492ee4c16ac45a5483088583c9caa08252d3a1bb3922dbbec834d61673538f17

    • SHA512

      48e4a3fa644b1859131cfec782641aaee9938c88f939ca0509df0f4120b922187753ce7cd7d912d2f90108526ba34d767baa28c9eeeb25d43fff77d38ddfd882

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral8

    • Target

      vcredist2005_x64.exe

    • Size

      3.0MB

    • MD5

      56eaf4e1237c974f6984edc93972c123

    • SHA1

      ee916012783024dac67fc606457377932c826f05

    • SHA256

      0551a61c85b718e1fa015b0c3e3f4c4eea0637055536c00e7969286b4fa663e0

    • SHA512

      f8e15363e34db5b5445c41eea4dd80b2f682642cb8f1046f30ea4fb5f4f51b0b604f7bcb3000a35a7d3ba1d1bcc07df9b25e4533170c65640b2d137c19916736

    • SSDEEP

      49152:+r67+stI6RWGTAdyvlADUrpTmcOgohwJpEM5grO3oc1OXZViFeRyDErkLUMHzkRN:AM9l8pUr9m30L5grOQXZKAsErkbQRN

    Score
    7/10
    persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral9

    • Target

      vcredist2005_x86.exe

    • Size

      2.6MB

    • MD5

      ce2922f83fb4b170affce0ea448b107b

    • SHA1

      b8fab0bb7f62a24ddfe77b19cd9a1451abd7b847

    • SHA256

      4ee4da0fe62d5fa1b5e80c6e6d88a4a2f8b3b140c35da51053d0d7b72a381d29

    • SHA512

      e94b077e054bd8992374d359f3adc4d1d78d42118d878556715d77182f7d03635850b2b2f06c012ccb7c410e2b3c124cf6508473efe150d3c51a51857ce1c6b0

    • SSDEEP

      49152:rqGRIgg2SirwkF9xdtb43lyGKCafpKkiwnaDahmPzpY4FPyaza:rxxLFfY/KCCpKk9aWMzZyau

    Score
    7/10
    persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10

    • Target

      vcredist2008_x64.exe

    • Size

      5.0MB

    • MD5

      e2ada570911edaaae7d1b3c979345fce

    • SHA1

      a7c83077b8a28d409e36316d2d7321fa0ccdb7e8

    • SHA256

      b811f2c047a3e828517c234bd4aa4883e1ec591d88fad21289ae68a6915a6665

    • SHA512

      b890d83d36f3681a690828d8926139b4f13f8d2fcd258581542cf2fb7dce5d7e7e477731c9545a54a476ed5c2aaac44ce12d2c3d9b99c2c1c04a5ab4ee20c4b8

    • SSDEEP

      98304:98I8/pCVmdbx2rU/xFnTBU8UeNeagEXtIgvjyGFDdo85qyKYr5NM62dNKViClWPg:9Avx2rw5Th8XeNyGtW0DJr5uDdQdWPet

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral11

    • Target

      vcredist2008_x86.exe

    • Size

      4.3MB

    • MD5

      35da2bf2befd998980a495b6f4f55e60

    • SHA1

      470640aa4bb7db8e69196b5edb0010933569e98d

    • SHA256

      6b3e4c51c6c0e5f68c8a72b497445af3dbf976394cbb62aa23569065c28deeb6

    • SHA512

      bf630667c87b8f10ef85b61f2f379d7ce24124618b999babfec8e2df424eb494b8f1bf0977580810dff5124d4dbdec9539ff53e0dc14625c076fa34dfe44e3f2

    • SSDEEP

      98304:vT4tlQ0aeY51XNURYxaA6qjEb9tRuPmBmWBDLTMTtbslyzRt9cuISY6Qa:vKlhE9U6476itR+mLPw6lyZY61

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral12

    • Target

      vcredist2010_x64.exe

    • Size

      9.8MB

    • MD5

      c9d9eebccef20d637f193490cec05e79

    • SHA1

      15d032d669078aa6f0f7fd1cbf4115a070bd034d

    • SHA256

      cc7ec044218c72a9a15fca2363baed8fc51095ee3b2a7593476771f9eba3d223

    • SHA512

      24b56b5d9b48d75baf53a98e007ace3e7d68fbd5fa55b75ae1a2c08dd466d20b13041f80e84fdb64b825f070843f9247daba681eff16baf99a4b14ea99f5cfd6

    • SSDEEP

      196608:n9A3D5MBD0vwqMKgL29M2JWMWiKV/nPlnqIaAAVINqsAsbPnpCxmz7dU8:23D5MBwZMd0b4oSQ7VSrAs1gEdU8

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral13

    • Target

      vcredist2010_x86.exe

    • Size

      8.6MB

    • MD5

      1801436936e64598bab5b87b37dc7f87

    • SHA1

      28c54491be70c38c97849c3d8cfbfdd0d3c515cb

    • SHA256

      67313b3d1bc86e83091e8de22981f14968f1a7fb12eb7ad467754c40cd94cc3d

    • SHA512

      0b8f20b0f171f49eb49367f1aafa7101e1575ef055d7007197c21ab8fe8d75a966569444449858c31bd147357d2bf5a5bd623fe6c4dbabdc7d16999b3256ab8c

    • SSDEEP

      196608:e9A3DAnfudQZKuNK0kMp2Wxw2tr3aA5Jegn9kaK6Hj0aaNz9ZBJ7C:t3DAnGKZKuNK0SvAn9kaK6gaaNRZbC

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral14

    • Target

      vcredist2012_x64.exe

    • Size

      6.9MB

    • MD5

      3c03562b5af9ed347614053d459d7778

    • SHA1

      1a5d93dddbc431ab27b1da711cd3370891542797

    • SHA256

      681be3e5ba9fd3da02c09d7e565adfa078640ed66a0d58583efad2c1e3cc4064

    • SHA512

      6c2f4eeb38705c2dafc4d75d8de0036a0aed197f83e9cb261d255fe26e4391f24b0b156e9019c739dd99057041c2bb80f9ab80f56869bc1e01f0469a76f24f75

    • SSDEEP

      98304:vRWKtOl5CCGomEBkHUBmExJrIUg32t9RRyvo7VnOcyP24Vc35re94tb0eYbY1poo:v3tO3CCT/hBxtVtyUVnmSprzVIY7QKAk

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral15

    • Target

      vcredist2012_x86.exe

    • Size

      6.3MB

    • MD5

      7f52a19ecaf7db3c163dd164be3e592e

    • SHA1

      96b377a27ac5445328cbaae210fc4f0aaa750d3f

    • SHA256

      b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386

    • SHA512

      60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

    • SSDEEP

      196608:OwKjLs+UIkzHlAv4X6zQRgiwHLD2LQIX/:9KjaxFFP1iLD2LnP

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral16

    • Target

      vcredist2013_x64.exe

    • Size

      6.9MB

    • MD5

      49b1164f8e95ec6409ea83cdb352d8da

    • SHA1

      1194e6bf4153fa88f20b2a70ac15bc359ada4ee2

    • SHA256

      a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c

    • SHA512

      29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60

    • SSDEEP

      196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral17

    • Target

      vcredist2013_x86.exe

    • Size

      6.2MB

    • MD5

      38a1b890ce847167d16567cf7b7a5642

    • SHA1

      0f5d66bcaf120f2d3f340e448a268fe4bbf7709d

    • SHA256

      53b605d1100ab0a88b867447bbf9274b5938125024ba01f5105a9e178a3dcdbd

    • SHA512

      907a9aac75f4f241a85ecb94690f74f5818eea0b2241d9ef6d4bf171f17da0f4bc702e2bb90c04f194592fcc61df5c250508d16b886ed837a74b9f45da9627cd

    • SSDEEP

      196608:hPMlUtWUVbuVAwgg1wGiU6QCs9FbEwEhMJ:oUUUNHg1wGd6QxbEwv

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral18

    • Target

      vcredist2015_2017_2019_2022_x64.exe

    • Size

      24.2MB

    • MD5

      077f0abdc2a3881d5c6c774af821f787

    • SHA1

      c483f66c48ba83e99c764d957729789317b09c6b

    • SHA256

      917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

    • SHA512

      70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

    • SSDEEP

      786432:Rip+Ty2SfUfnRLL96rFyZrimbJdCnoJpOhX+dx:Mp+Ty2SfWnFJ6rQVdKhX+dx

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19

    • Target

      vcredist2015_2017_2019_2022_x86.exe

    • Size

      13.2MB

    • MD5

      ae427c1329c3b211a6d09f8d9506eb74

    • SHA1

      c9b5b7969e499a4fd9e580ef4187322778e1936a

    • SHA256

      5365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490

    • SHA512

      ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41

    • SSDEEP

      393216:yvRtlptVYmfr7yBG/41w0vJROFTfCTKw27:y1pttD7yBG/OTvJRGCN27

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral20

    • Target

      xSpoofer-ReleaseNew2.0/tools/Visual C++/วิธีติดตั้ง.txt

    • Size

      792B

    • MD5

      78915e149e25b857035f84f6de8cdc61

    • SHA1

      e65bab0ce3d0cda461e0d2658cdb1a23f69b0d85

    • SHA256

      fccda4aed953d3a17daf55871b8c05e49e2c31979a6476d0b62e189d33e1ac7e

    • SHA512

      d7a3835e4602e921bb3851c10a72bd3454f1c0a3599b2876c41f1874bbd0ddfdcbe63f40fd07c29436dad8a3a50567a015bb6b9c68f783355f6651c4be513198

    Score
    1/10
    behavioral21

    • Target

      xSpoofer-ReleaseNew2.0/tools/dxwebsetup.exe

    • Size

      288KB

    • MD5

      2cbd6ad183914a0c554f0739069e77d7

    • SHA1

      7bf35f2afca666078db35ca95130beb2e3782212

    • SHA256

      2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

    • SHA512

      ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

    • SSDEEP

      6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral22

    • Target

      xSpoofer-ReleaseNew2.0/tools/revosetup.exe

    • Size

      6.6MB

    • MD5

      e3574fa758b4bfc212fb9020dc882935

    • SHA1

      2dccacd9037a88082214638440d4ccdf2a894990

    • SHA256

      d6d51e144c72adbcf595cbba251001059980cb576f22530e45c53d9f5a0a4dfb

    • SHA512

      d57e1f7d5247549f04cfd3cdfcd661be9d70c92a7f72d0b0c5a46ccec4ee98d93520eb4aa8a41561a03309b77ccdc7d4796940cc29eb612c521c1e3287f29ee9

    • SSDEEP

      196608:Hdja9oHCYgyaUqjPCsqEc83U3pl6H5DUyXq:9ja9oHCPUqjbk3pYfa

    Score
    7/10

    • Executes dropped EXE

    behavioral23

    • Target

      xSpoofer-ReleaseNew2.0/tools/xspoofer-clean.bat

    • Size

      563B

    • MD5

      5dac7208934eb5dc67e2ea51c2506528

    • SHA1

      ccc5a26f2a0454cfbb7496faa232116446194394

    • SHA256

      edaf0685c779d332d78cc3a836aa01808eb84aa99252a5b123055a2a4f13a6f3

    • SHA512

      10aa0df67f323ecb06c074ef15932195de1dddf7ed4c4a87b93024e836e99db99d46c6777690092ee756d320f9bc38164f2bbbed03f0b389f39a42ae76a420bf

    Score
    1/10
    behavioral24

    • Target

      xSpoofer-ReleaseNew2.0/xSpoofer-new.exe

    • Size

      7.0MB

    • MD5

      6b47add2cf208a988c57c8f00461de0b

    • SHA1

      cf9518f4bd3cf94ab7225423e4365f4a262a9c61

    • SHA256

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

    • SHA512

      e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

    • SSDEEP

      196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

    Score
    10/10
    xwormevasionratthemidatrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral25

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Defense Evasion

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

23
T1012

System Information Discovery

18
T1082

Peripheral Device Discovery

7
T1120

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Tasks