General

  • Target

    igrppr_pfinder.zip

  • Size

    15.4MB

  • Sample

    240615-al1llswcml

  • MD5

    2036d3307dbe4585acf384337ad1cb40

  • SHA1

    f4e45df936fe988adaabd880496c781be1c2a189

  • SHA256

    152445851c44e16f9efeaebc9d66a73bceb6f34976cc7354501877f008cb8869

  • SHA512

    9c83c5228af053c3cece0ee113ca493508eb09eee222882829ea0bc991c747b859900b6736f25261046fbc13a8766df2a093b9eeb1d47eeb924d8ab1309e1c1e

  • SSDEEP

    393216:6s6nr99NewcstopZW0bQ13rNUvOOYO8MBCn5Hg5Zo3nNmGh:6sQr9/ect+ZIRNCX6nqZzGh

Malware Config

Targets

    • Target

      igrppr_pfinder.zip

    • Size

      15.4MB

    • MD5

      2036d3307dbe4585acf384337ad1cb40

    • SHA1

      f4e45df936fe988adaabd880496c781be1c2a189

    • SHA256

      152445851c44e16f9efeaebc9d66a73bceb6f34976cc7354501877f008cb8869

    • SHA512

      9c83c5228af053c3cece0ee113ca493508eb09eee222882829ea0bc991c747b859900b6736f25261046fbc13a8766df2a093b9eeb1d47eeb924d8ab1309e1c1e

    • SSDEEP

      393216:6s6nr99NewcstopZW0bQ13rNUvOOYO8MBCn5Hg5Zo3nNmGh:6sQr9/ect+ZIRNCX6nqZzGh

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks