Overview

overview

9

Static

static

3

7b128591d2...35.exe

windows7-x64

9

7b128591d2...35.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7b128591d2e9abb8d8c1a5fc29bbc3bbf8daf8adfea3e6c987938abf369c0935

  • Size

    10.7MB

  • Sample

    240526-hzhlysah8y

  • MD5

    49e2784fd399a731911182bf91260c20

  • SHA1

    c91e9fa33270ba27345196ab4a7cf78886210625

  • SHA256

    7b128591d2e9abb8d8c1a5fc29bbc3bbf8daf8adfea3e6c987938abf369c0935

  • SHA512

    c64c11ad91f38d9ac6f4a6a41c6cc15795219f4975400767533619653b520fdb512bb7e2e98040cbf49811a79270b6283aba58a243142dfaa7c76977def38aa2

  • SSDEEP

    196608:IVxYiPcAfv7vvykSnYhQslsSkgtCsW+99MdCg4G6bBT78IkPhLoUDQvURJZ8:IjYiPcAH7vv+nYhQisSkgI5g9Mdz4G6v

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Targets

    • Target

      7b128591d2e9abb8d8c1a5fc29bbc3bbf8daf8adfea3e6c987938abf369c0935

    • Size

      10.7MB

    • MD5

      49e2784fd399a731911182bf91260c20

    • SHA1

      c91e9fa33270ba27345196ab4a7cf78886210625

    • SHA256

      7b128591d2e9abb8d8c1a5fc29bbc3bbf8daf8adfea3e6c987938abf369c0935

    • SHA512

      c64c11ad91f38d9ac6f4a6a41c6cc15795219f4975400767533619653b520fdb512bb7e2e98040cbf49811a79270b6283aba58a243142dfaa7c76977def38aa2

    • SSDEEP

      196608:IVxYiPcAfv7vvykSnYhQslsSkgtCsW+99MdCg4G6bBT78IkPhLoUDQvURJZ8:IjYiPcAH7vv+nYhQisSkgI5g9Mdz4G6v

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks