Resubmissions

02-08-2024 21:46

240802-1m17mswere 10

General

  • Target

    Loader.exe

  • Size

    80.8MB

  • Sample

    240802-1m17mswere

  • MD5

    93e39aca43080a3a84a6e7a492b586a7

  • SHA1

    eee096dcfba81e22bd3422243fef9705e0d9cd9c

  • SHA256

    6fdf6a1447279d9126829e279c7153d13c4e34312d5b74b1a66791f78535bac7

  • SHA512

    e6f4b383d76f640cc6f5c59367af3719bd13c8cb609dfc511561eef7813fae62d640c8e24b4f4fc0c8242d9efed4a2e02244309be37f1ddd71a6f464a12714d7

  • SSDEEP

    1572864:NFh7vHcRltSk8IpG7V+VPhqYdfME7FFlHFziYweyJulZUdgAdW47jzux3a/Z9U:3h7vHcRLSkB05awcfhdCpukdRna49U

Malware Config

Targets

    • Target

      Loader.exe

    • Size

      80.8MB

    • MD5

      93e39aca43080a3a84a6e7a492b586a7

    • SHA1

      eee096dcfba81e22bd3422243fef9705e0d9cd9c

    • SHA256

      6fdf6a1447279d9126829e279c7153d13c4e34312d5b74b1a66791f78535bac7

    • SHA512

      e6f4b383d76f640cc6f5c59367af3719bd13c8cb609dfc511561eef7813fae62d640c8e24b4f4fc0c8242d9efed4a2e02244309be37f1ddd71a6f464a12714d7

    • SSDEEP

      1572864:NFh7vHcRltSk8IpG7V+VPhqYdfME7FFlHFziYweyJulZUdgAdW47jzux3a/Z9U:3h7vHcRLSkB05awcfhdCpukdRna49U

    • Enumerates VirtualBox DLL files

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks