General

  • Target

    xx-lavacrypt-dfgs.exe

  • Size

    757KB

  • Sample

    240425-p9mrzsah7t

  • MD5

    0aee27ff78ad1b6de193fb9527f2bad1

  • SHA1

    62510b0be0084347ef5a26191de2b87423c96ff3

  • SHA256

    784701d5138d608aacea3c83d5326af091766d37bc8be5f8aebb8d238f8249fa

  • SHA512

    0020a8808c94ceae9df24b36c1ebfcc8b09b550bee85c01a89a268f6e57eccd4ba3831c5b0a6af3649b10574c2840f8f3032bf206d0fd9ec250944153272b813

  • SSDEEP

    12288:3SwSQFyl4f9xaVpQ46RdqabYHO8sMCgHYzKpqyYN9sqM0+IuLbcyYhGJZNy6pDW8:QQFlKTQ46L8HthCxIqyl6UvNYhcZs67r

Malware Config

Targets

    • Target

      xx-lavacrypt-dfgs.exe

    • Size

      757KB

    • MD5

      0aee27ff78ad1b6de193fb9527f2bad1

    • SHA1

      62510b0be0084347ef5a26191de2b87423c96ff3

    • SHA256

      784701d5138d608aacea3c83d5326af091766d37bc8be5f8aebb8d238f8249fa

    • SHA512

      0020a8808c94ceae9df24b36c1ebfcc8b09b550bee85c01a89a268f6e57eccd4ba3831c5b0a6af3649b10574c2840f8f3032bf206d0fd9ec250944153272b813

    • SSDEEP

      12288:3SwSQFyl4f9xaVpQ46RdqabYHO8sMCgHYzKpqyYN9sqM0+IuLbcyYhGJZNy6pDW8:QQFlKTQ46L8HthCxIqyl6UvNYhcZs67r

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks