558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f | Triage

Resubmissions

07-07-2024 07:43

240707-jkd6naxblq 9

Sharing

General

Target

Heist Editor 3.6.3.1Community.exe
Size

8.4MB
Sample

240707-jkd6naxblq
MD5

e2a942481a3c1489bce0adea0bb9e8ce
SHA1

29970574fe0f8c0f4597b4cd8c4694e9d746dd00
SHA256

558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f
SHA512

18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce
SSDEEP

196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5

Score

9^/10

bootkit evasion persistence privilege_escalation trojan

Malware Config

Targets

- Target
  
  Heist Editor 3.6.3.1Community.exe
- Size
  
  8.4MB
- MD5
  
  e2a942481a3c1489bce0adea0bb9e8ce
- SHA1
  
  29970574fe0f8c0f4597b4cd8c4694e9d746dd00
- SHA256
  
  558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f
- SHA512
  
  18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce
- SSDEEP
  
  196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5
Score

9^/10

bootkit evasion persistence privilege_escalation trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Modifies system executable filetype association
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Pre-OS Boot

Bootkit

Privilege Escalation

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitevasionpersistenceprivilege_escalationtrojan