Overview

overview

9

Static

static

3

cd3fd72c86...57.exe

windows7-x64

9

cd3fd72c86...57.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd3fd72c86defc317c58ae5fb7bc7fcb6ee7e2c37d3bb0aa214fa3552602b557

  • Size

    14.6MB

  • Sample

    240525-xetwtaee63

  • MD5

    51f8844e1ffe0784c96c775213e12da7

  • SHA1

    d96bef1c07db5088160a5e4e362cfe7f22a61ab5

  • SHA256

    cd3fd72c86defc317c58ae5fb7bc7fcb6ee7e2c37d3bb0aa214fa3552602b557

  • SHA512

    b4a76b3b19db4865abc3db6c534d73c9f2ed69dd37cbc50069cdc2a484df713c5f78e98db03770a9ce43fa8024ef7ca26c64ea599c278be091e39ebd7b433c01

  • SSDEEP

    393216:RWMypjm/mSh6gcMGo13D7VquFeRq5solYLML5vnF:IM0ykgcfotDzei3AML5vF

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Targets

    • Target

      cd3fd72c86defc317c58ae5fb7bc7fcb6ee7e2c37d3bb0aa214fa3552602b557

    • Size

      14.6MB

    • MD5

      51f8844e1ffe0784c96c775213e12da7

    • SHA1

      d96bef1c07db5088160a5e4e362cfe7f22a61ab5

    • SHA256

      cd3fd72c86defc317c58ae5fb7bc7fcb6ee7e2c37d3bb0aa214fa3552602b557

    • SHA512

      b4a76b3b19db4865abc3db6c534d73c9f2ed69dd37cbc50069cdc2a484df713c5f78e98db03770a9ce43fa8024ef7ca26c64ea599c278be091e39ebd7b433c01

    • SSDEEP

      393216:RWMypjm/mSh6gcMGo13D7VquFeRq5solYLML5vnF:IM0ykgcfotDzei3AML5vF

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks