General

  • Target

    Loader.exe

  • Size

    21.2MB

  • Sample

    240612-s7sf8szhmg

  • MD5

    641724e3d8211104be31438b62dc7d15

  • SHA1

    114e784ccc74babf9590583bff1e1e83e8929bb4

  • SHA256

    569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d

  • SHA512

    5fc3562e2b0483f9c6ca6b16586d9f15b585b692f98c7547f3ce087114e9c8bb35e7a2d54e0e788489573ebf405650104c8ebf377baddc3cbacc8321916eeb2f

  • SSDEEP

    393216:FBKR69QxEl93SQh6mn7tG+vp2jbKmMQL8NGm10C9REV6f01Serw2ngtTV:LKIsGj6CRGu23MBGm9wXzngT

Malware Config

Targets

    • Target

      Loader.exe

    • Size

      21.2MB

    • MD5

      641724e3d8211104be31438b62dc7d15

    • SHA1

      114e784ccc74babf9590583bff1e1e83e8929bb4

    • SHA256

      569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d

    • SHA512

      5fc3562e2b0483f9c6ca6b16586d9f15b585b692f98c7547f3ce087114e9c8bb35e7a2d54e0e788489573ebf405650104c8ebf377baddc3cbacc8321916eeb2f

    • SSDEEP

      393216:FBKR69QxEl93SQh6mn7tG+vp2jbKmMQL8NGm10C9REV6f01Serw2ngtTV:LKIsGj6CRGu23MBGm9wXzngT

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Impact

Service Stop

1
T1489

Tasks