General

  • Target

    Uni.bat

  • Size

    1.8MB

  • Sample

    240611-v66ctavgml

  • MD5

    e0530598c6e19aaf4ce21c597abb9d56

  • SHA1

    1c0f21a14693adfaf74b2d9a0e3d29cd9d654c49

  • SHA256

    cf847f1b243c87dfdb0f8b642432981872ef22e616209d9d380e8377fca0c98c

  • SHA512

    e7ccfbb1d9fa92a5689ab292c21bd5eb5bb4948083a253bbd5e7480ee73f45afdddb6df09762eb2060bf623e127994b01dcb4996fbf235d66302955f35d15030

  • SSDEEP

    24576:eO8kR9F7uTPwm8RD3tKXONxOAKGa8p/z9pZ/1michuXrSuy0tarRQkjGb3q2yoh7:eoQMDV9AONk1aXdauXy0tbDJh7

Malware Config

Targets

    • Target

      Uni.bat

    • Size

      1.8MB

    • MD5

      e0530598c6e19aaf4ce21c597abb9d56

    • SHA1

      1c0f21a14693adfaf74b2d9a0e3d29cd9d654c49

    • SHA256

      cf847f1b243c87dfdb0f8b642432981872ef22e616209d9d380e8377fca0c98c

    • SHA512

      e7ccfbb1d9fa92a5689ab292c21bd5eb5bb4948083a253bbd5e7480ee73f45afdddb6df09762eb2060bf623e127994b01dcb4996fbf235d66302955f35d15030

    • SSDEEP

      24576:eO8kR9F7uTPwm8RD3tKXONxOAKGa8p/z9pZ/1michuXrSuy0tarRQkjGb3q2yoh7:eoQMDV9AONk1aXdauXy0tbDJh7

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks