General
-
Target
maple.zip
-
Size
83.6MB
-
Sample
240720-sj9qls1gpl
-
MD5
86463b8332ffc4d4f5636cf6baae2a79
-
SHA1
a18b67a927e2e6ec2b11155f47cdd11b3c087470
-
SHA256
3c937b8994ef68e8b3896c0e5aad62fc408ff403699ba3dcccdb79e2dc435e2a
-
SHA512
f1dc77847e88d1487b92e3cb00f648a807751b5a262da5eaa992fe5154c068966f00a49874c77f15ceece51b19fa25d492173b51bd14f5ff2d5828547715443e
-
SSDEEP
1572864:bbUY4Zrbabtl8T68GVWYye9QscqSx9mxXVjG02nxF6Atd3ulj68nmEmFWfwOwUSM:vUpXThGsYemSx412nDtd3ubnmQBwUSil
Behavioral task
behavioral1
Sample
maple/maple/Maple.exe
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
maple/maple/crack.dll
Resource
win11-20240709-en
Behavioral task
behavioral3
Sample
maple/maple/loader.exe
Resource
win11-20240709-en
Malware Config
Targets
-
-
Target
maple/maple/Maple.exe
-
Size
74.8MB
-
MD5
87dbbc1ff26b8f7e5cbe56b8f7d4d406
-
SHA1
c731816d542d527c25b0ce6269a573b8eb486e9b
-
SHA256
f7821841c7f10c253f9e34f91e38cea853244afc0103561647598c707ff26742
-
SHA512
2196b39219865c2efd75fa678b0e4723951a2a2f48094c410ddcff4b9ef59e35cb946788487130085f77826868abfe3e7c35cbb80389c3e4d59adedce860086c
-
SSDEEP
1572864:Aps9Fnab4+6DQSc6JUCSi0HTq1/3LmSGnxnkqbHbcT7IMpeQW/0FKAGCYK:wzx6cSgC0HMVGnDbHbc5peu9GCYK
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
maple/maple/crack.dll
-
Size
5.0MB
-
MD5
b5b1b26e855eda6268b9a2008e0fce86
-
SHA1
d7925f7de5835e3564b187d8654bb9305ea945fb
-
SHA256
06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7
-
SHA512
14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799
-
SSDEEP
98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
-
-
Target
maple/maple/loader.exe
-
Size
5.3MB
-
MD5
e630d72436e3dc1be7763de7f75b7adf
-
SHA1
40e07b22ab8b69e6827f90e20aeac35757899a23
-
SHA256
59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e
-
SHA512
82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83
-
SSDEEP
98304:MY5XZjNqBeNp4iSgPKpQ9CKhqkaIWvO9SYCxBKXyaxVdb+tSVGHyYDMMl7qg7:MYpMeNp4irCmWISnTz2VtIVDMg7n7
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1