General

  • Target

    New WinRAR archive.rar

  • Size

    6.8MB

  • Sample

    240618-hmb9ea1gqe

  • MD5

    f1007b969de70ff8b4445b240db262ba

  • SHA1

    f53e35721182ac6a31762cb1067cc203f9a365c6

  • SHA256

    743dbf5f132386f3ba99319cdca074be5dd035d18171639ac8bd8539e1d038fd

  • SHA512

    c61306da1f844fb82a467c69252490882300a8a99d151253ff6b55d33c6ec2f3e558ada32109482cc63723d70c140399d0f0cf8e46cd29767de3ad67b4d5f34d

  • SSDEEP

    196608:G75FwBATst0I+EVjUnM/7UnM/AJXT8KgGAjnqbmCBvgukq:oFzTst0IVjx/7x/i8JGATABvguh

Malware Config

Targets

    • Target

      OrionChecker/OrionChecker.exe

    • Size

      615.1MB

    • MD5

      796c4e013accc1d47e263f2438248e5e

    • SHA1

      dbca3bb74c9715a4b21259fa644a39a59bb438a7

    • SHA256

      e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0

    • SHA512

      5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c

    • SSDEEP

      49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      OrionChecker/SSQ.dll

    • Size

      1.7MB

    • MD5

      56a504a34d2cfbfc7eaa2b68e34af8ad

    • SHA1

      426b48b0f3b691e3bb29f465aed9b936f29fc8cc

    • SHA256

      9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

    • SHA512

      170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

    • SSDEEP

      24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I

    Score
    1/10
    • Target

      OrionChecker/SSQLite.Interop.dll

    • Size

      1.7MB

    • MD5

      56a504a34d2cfbfc7eaa2b68e34af8ad

    • SHA1

      426b48b0f3b691e3bb29f465aed9b936f29fc8cc

    • SHA256

      9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

    • SHA512

      170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

    • SSDEEP

      24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks