General
-
Target
sample
-
Size
80KB
-
Sample
240708-fmp46avhld
-
MD5
2a1b218812d4f6422434d97169e514a3
-
SHA1
a6e870ba7b5c9f330c15f3d8a212bba3fa324dc2
-
SHA256
8d83a0e36057dd1d65a54dea417afccf11009f0ace2738f387f8de611fb262bf
-
SHA512
6ad15e153dd887a76b8b5badf7869c13887f71a486983684f0e91299cbd6a9a34f6c5b0458f7c9ecfa4d02d76f9c758b856cb0c0894d0fe8e93ef3e330fbc705
-
SSDEEP
1536:I60JFL5SwNiecv6Q5hNFZuSuWtWWxcIBje/6apKjpcXW+NaE3qGksAG6ZJsnfJeH:H0JFL8wk6VIBje/6apKjpcXW+NaE3qGk
Malware Config
Targets
-
-
Target
sample
-
Size
80KB
-
MD5
2a1b218812d4f6422434d97169e514a3
-
SHA1
a6e870ba7b5c9f330c15f3d8a212bba3fa324dc2
-
SHA256
8d83a0e36057dd1d65a54dea417afccf11009f0ace2738f387f8de611fb262bf
-
SHA512
6ad15e153dd887a76b8b5badf7869c13887f71a486983684f0e91299cbd6a9a34f6c5b0458f7c9ecfa4d02d76f9c758b856cb0c0894d0fe8e93ef3e330fbc705
-
SSDEEP
1536:I60JFL5SwNiecv6Q5hNFZuSuWtWWxcIBje/6apKjpcXW+NaE3qGksAG6ZJsnfJeH:H0JFL8wk6VIBje/6apKjpcXW+NaE3qGk
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1