General
-
Target
SimpleToolZ.exe
-
Size
56.5MB
-
Sample
240811-3zsgdazdla
-
MD5
d096ccc62bc5ca43fdaecdeb60579aaf
-
SHA1
ec7ea18a482a749f7d0c02a3e7c0c695ce28b74e
-
SHA256
b8b9a275dd7074b5169977ea5e71d0399845e88408d94b71878a7950d926c316
-
SHA512
006bd3eca1a2d6b16ffd1cb46e0066756eb57abb9b618454a186b1d1fd237bfed23c0bfe197ada61520a9d5e98b2bf360beb528a46687ae5e3c9da60ccd923b2
-
SSDEEP
1572864:amKm5eNXA90p2N+iUgK1EEZBplhSwPTMSnhXQYoeQBPd:t5ec6C+imvrM0QYoeu1
Malware Config
Targets
-
-
Target
SimpleToolZ.exe
-
Size
56.5MB
-
MD5
d096ccc62bc5ca43fdaecdeb60579aaf
-
SHA1
ec7ea18a482a749f7d0c02a3e7c0c695ce28b74e
-
SHA256
b8b9a275dd7074b5169977ea5e71d0399845e88408d94b71878a7950d926c316
-
SHA512
006bd3eca1a2d6b16ffd1cb46e0066756eb57abb9b618454a186b1d1fd237bfed23c0bfe197ada61520a9d5e98b2bf360beb528a46687ae5e3c9da60ccd923b2
-
SSDEEP
1572864:amKm5eNXA90p2N+iUgK1EEZBplhSwPTMSnhXQYoeQBPd:t5ec6C+imvrM0QYoeu1
Score10/10-
UAC bypass
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1