General

  • Target

    zuhaowan_3.8.240608.1.exe

  • Size

    123.0MB

  • Sample

    240615-sqnrqaygmk

  • MD5

    50c05b029ef55a19889182801665c587

  • SHA1

    6408879b5f58583cc452233dc232925620ecd81d

  • SHA256

    ce55e2456c9c5e2bd8ebbd04312eb9ace148a60236d82ec5f205f7f076b38479

  • SHA512

    7b8978a3f24c2f5893f0488c1436181d28f44ca326c7582c9d005045ef7699020aea7b68c680473423e119e54c862f1e14b577b003689d6b5cfaa1bfe20bd7c5

  • SSDEEP

    3145728:wy7Lu15hh4UMorphwh/vfKmQs9szr8gTUrGJyd6g:w4LurhWUri/qds9sz4WZu

Malware Config

Targets

    • Target

      zuhaowan_3.8.240608.1.exe

    • Size

      123.0MB

    • MD5

      50c05b029ef55a19889182801665c587

    • SHA1

      6408879b5f58583cc452233dc232925620ecd81d

    • SHA256

      ce55e2456c9c5e2bd8ebbd04312eb9ace148a60236d82ec5f205f7f076b38479

    • SHA512

      7b8978a3f24c2f5893f0488c1436181d28f44ca326c7582c9d005045ef7699020aea7b68c680473423e119e54c862f1e14b577b003689d6b5cfaa1bfe20bd7c5

    • SSDEEP

      3145728:wy7Lu15hh4UMorphwh/vfKmQs9szr8gTUrGJyd6g:w4LurhWUri/qds9sz4WZu

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Tasks