Overview

overview

9

Static

static

7

Downloads ...v2.exe

windows7-x64

9

Downloads ...v2.exe

windows10-2004-x64

9

Downloads ...S2.exe

windows7-x64

1

Downloads ...S2.exe

windows10-2004-x64

1

Downloads ...ir.exe

windows7-x64

1

Downloads ...ir.exe

windows10-2004-x64

8

Downloads ...er.exe

windows7-x64

9

Downloads ...er.exe

windows10-2004-x64

9

Downloads ...or.exe

windows7-x64

9

Downloads ...or.exe

windows10-2004-x64

9

Downloads ...q1.exe

windows7-x64

5

Downloads ...q1.exe

windows10-2004-x64

5

Downloads ...ix.bat

windows7-x64

1

Downloads ...ix.bat

windows10-2004-x64

1

Downloads ...ix.bat

windows7-x64

9

Downloads ...ix.bat

windows10-2004-x64

9

Downloads ...ix.bat

windows7-x64

1

Downloads ...ix.bat

windows10-2004-x64

1

Downloads ...b1.exe

windows7-x64

5

Downloads ...b1.exe

windows10-2004-x64

5

Downloads ...ix.bat

windows7-x64

9

Downloads ...ix.bat

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads+12.6.24.rar

  • Size

    80.7MB

  • Sample

    240811-3bewdaybpc

  • MD5

    6581ff2dd9ee474331780c2112500d6a

  • SHA1

    a164068608d9c2b32e07a0534617716c49629230

  • SHA256

    66cf7d06e6cf6413d3e9e6a488f7528f5c6d06057abec20496f70d1691fbdfb2

  • SHA512

    a9aa014dfaab0f60b69e6ec8b7d9a466d5f976543507727257cf3b09c4fc202e7ff9cba9cc46a284cb891cdb49d95a226f27d7f64cf5d4f84b9e1e9cce91968a

  • SSDEEP

    1572864:qRZgqlQF1RtT241GjCmpieL4IK7iilrrtAycBAHyw+GCzYhXKs5l44jm4/usyXQ7:qQfT241GjCmp/GxRURqdKWmOHwq

Score
9/10
defense_evasionevasionexecutionpersistenceransomwarethemidatrojan

Malware Config

Targets

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Blocker v2.exe

    • Size

      12.4MB

    • MD5

      a9c090dde54cb5f996b3e15da5fe3b08

    • SHA1

      e799961d2a957c2b84dc6ff32e73c5cabe45a395

    • SHA256

      deae15597f320e6c3b7b655947a6ef9459027790d452f5e1f2559b15ce50a2df

    • SHA512

      21e1a2d4e14399ecf3e5d085d0017b756ba8821708c8d5601c718fea356af1b701e60d2d61d8cdaabd7e962975d5bf230e6d421ac1e620556e3d8c605e1f87d8

    • SSDEEP

      393216:6Pyeiimo7NiqXDCzcQ9Lnp/4ygyeF53i4F2CucQOuons:T9imoMMS1/pgyeFNiS2CEp

    Score
    9/10
    evasionexecutionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks whether UAC is enabled

      evasiontrojan

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/CS2.exe

    • Size

      7.1MB

    • MD5

      6be8621375d6d268f679d4740d334a8c

    • SHA1

      b042e6719c564384342d42028a3abf5e7ab994d3

    • SHA256

      3b618def9c8d4fd1cb3a4b8553f83c1ecc01be8720d82764ae7f5678570c9ddc

    • SHA512

      6e6aaf63bd11a3efa11a0f5797dc34a75da1d6258c432df34fba0f29732edb89a78274bcbabdfbbdd055c6361458b960d86b4181ce3e08a0af3e384a4ce99cee

    • SSDEEP

      196608:EgAnvZibpOQnBkJqjBkRWZrKz0Ilzo+2Ugc/NWdy41Ko9haDHMpCHMhW6E:2vQbiQjBSWZGZO

    Score
    1/10
    behavioral3behavioral4

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Loud Chair.exe

    • Size

      18.9MB

    • MD5

      e85d8cd73a221953c10c6ae719c4daae

    • SHA1

      a78ad50dd874b8a159c1300035927ffae558930f

    • SHA256

      320d56906b73e07663ae65f53e6ee1008042e3ecdd640f34d60e48c035fa7eb5

    • SHA512

      10c36ff7963159f6b76e80105aefefef3d6a075ad6d9d9a79397ce4f24f9f2f8deed59033543b0722614340ac9a9524c466509c609458b0160d826bc8e77fcd2

    • SSDEEP

      393216:Infyt2vkj2gwfhbjlZDnJAKqnPg69iG4C7NH:tt2Q2XtRtnmVFJp

    Score
    8/10
    evasion

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Perm Woofer.exe

    • Size

      28.1MB

    • MD5

      6d580b009bd7e0c1d5d2e1da54191743

    • SHA1

      4e3568f77dfb112c6a30c9f04fece99b0a219153

    • SHA256

      33db059ad0344af99a91e5dc4645b4ed21f6476301dbcdd9b7938fa9f5b240fa

    • SHA512

      2e7b119a035295da2a1c666f6b4d1c2de1cc2aaf2392dc4c4f76bb4edef74022902b50b539aa26a0c035c7f4d87442dc498236a37ea50e5a7408af355bad0325

    • SSDEEP

      786432:DEpTc844UEVZOh3yWhcs8sCir3G9uyRpwn3uY4dws:4S8WlinvU3yu+E3p7s

    Score
    9/10
    evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Privacy Protector.exe

    • Size

      8.6MB

    • MD5

      fbf038e5ef2e30da99e88371531dfebc

    • SHA1

      b0507491cf241aa4da8b73ef513528b2a937aa2c

    • SHA256

      0890f0b89e5c5745ad4bfaf1ca6459c5b765adae9cc2d0988e9456894350b434

    • SHA512

      2526c6e621b64c861aa5baddd9e80d2bdd5cd7d628be115584e3f0471536ab95ef85be48ae06b5207bc70f9e6eeeb75ceebc2594ebda6b1878cbc22f8321ea84

    • SSDEEP

      196608:gAHP6FQVWZ0C1+eqy/rRXEChq+ZExY37lJo9aM2yf/2dI:KPqWRUChqCtLlW5X2dI

    Score
    9/10
    evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/Byr723V3Cq1.exe

    • Size

      5.6MB

    • MD5

      05396b1d29a97b383fbd638b1f9355a9

    • SHA1

      34123ced194bfb10bab574555784e4bf43b97c8c

    • SHA256

      f7b154b559d43433246b75a5294f260ecf11a1e03a77264b037c9d54a14315da

    • SHA512

      b4de31b07c9dea35c37ec4ec5ee7eb4d46fa6a25801238ee36e859166f7f46dd033dde0abcc8184a63209e9d69a79ced5103e2a97f1d0dd4827706ee35c503bd

    • SSDEEP

      98304:ETIF0v7xEkVfXhspQU9hP3P0yM5bOxetYqzxiU6WCTHXqj97sWl+0xGL:ENvqCfRsa03PZMceDMU6WcI93zx

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/bsod fix.bat

    • Size

      415B

    • MD5

      392f331dc1744fbe560a2a17d7ca838f

    • SHA1

      817559945e137d036f47b26696d4fab5f22572c1

    • SHA256

      318ae14fd3712848ed06c109d36a9df600964e1d827581f980c121d52a7b5df5

    • SHA512

      0b1023402d8bf343cdee0e1e643209a65879dca4a7e22862b28ba08dea2d1a72ff651ab757ce32ad11add2aad61b44f36a64d1c754bdbe1ea740c44c2857c0dd

    Score
    1/10
    behavioral13behavioral14

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/w11 fix.bat

    • Size

      507B

    • MD5

      6fb44052dc5a85a097feeb91d7a81712

    • SHA1

      29db33e6cf3286a6ba82af684ac535d42b43d257

    • SHA256

      7ec1b31de3b0114c266df0b475c5c582a504c7c38f7127949df27f78a5d1c026

    • SHA512

      ee9dbcc0a7340ec6fe968ba611f0849fd1b77b88cb5deaad4c6a516a417abaf14055021e949ca04fde979364f060504c911fede81b0c492b651ea1b3f246494a

    Score
    9/10
    defense_evasionevasionexecutionransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modify Registry: Disable Windows Driver Blocklist

      Disable Windows Driver Blocklist via Registry.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral15behavioral16

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/bsod fix.bat

    • Size

      415B

    • MD5

      392f331dc1744fbe560a2a17d7ca838f

    • SHA1

      817559945e137d036f47b26696d4fab5f22572c1

    • SHA256

      318ae14fd3712848ed06c109d36a9df600964e1d827581f980c121d52a7b5df5

    • SHA512

      0b1023402d8bf343cdee0e1e643209a65879dca4a7e22862b28ba08dea2d1a72ff651ab757ce32ad11add2aad61b44f36a64d1c754bdbe1ea740c44c2857c0dd

    Score
    1/10
    behavioral17behavioral18

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/nRi28Wtqb1.exe

    • Size

      5.6MB

    • MD5

      872b0fa8c0306040f181d08c5d7a252b

    • SHA1

      a08cf74361c96aa4d7e4503af6563c63b95f1973

    • SHA256

      3a5576c4e7d9ed56cc295fea24ef0fa68cf4235dfefa434caa32015887e757c3

    • SHA512

      23d8610ac8bfcb68695b652dd8d35edcc5f17994c90966ef0cabf11489d983cc852dd8e6d36ec85c78ec6f63cb6a7b21238a6d9687494f3ef99bc7ca86a4a277

    • SSDEEP

      98304:GRx4heu/+/tswG+PJPigEtVTH41ZE6HqM/aZeOO4wZivrH/LXmfI1ZWQpy:GL4gy+/tbG+PJa3txT6KKaLbwZivrjdJ

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/w11 fix.bat

    • Size

      507B

    • MD5

      6fb44052dc5a85a097feeb91d7a81712

    • SHA1

      29db33e6cf3286a6ba82af684ac535d42b43d257

    • SHA256

      7ec1b31de3b0114c266df0b475c5c582a504c7c38f7127949df27f78a5d1c026

    • SHA512

      ee9dbcc0a7340ec6fe968ba611f0849fd1b77b88cb5deaad4c6a516a417abaf14055021e949ca04fde979364f060504c911fede81b0c492b651ea1b3f246494a

    Score
    9/10
    defense_evasionevasionexecutionransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modify Registry: Disable Windows Driver Blocklist

      Disable Windows Driver Blocklist via Registry.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

evasionexecutionpersistencetrojan
Score
9/10

behavioral2

evasionexecutionpersistencetrojan
Score
9/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

evasion
Score
8/10

behavioral7

evasiontrojan
Score
9/10

behavioral8

evasiontrojan
Score
9/10

behavioral9

evasiontrojan
Score
9/10

behavioral10

evasiontrojan
Score
9/10

behavioral11

Score
5/10

behavioral12

Score
5/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

defense_evasionevasionexecutionransomware
Score
9/10

behavioral16

defense_evasionevasionexecutionransomware
Score
9/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
5/10

behavioral20

Score
5/10

behavioral21

defense_evasionevasionexecutionransomware
Score
9/10

behavioral22

defense_evasionevasionexecutionransomware
Score
9/10