Overview

overview

10

Static

static

3

weave.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    weave.exe

  • Size

    15.4MB

  • Sample

    240822-lgq26aselm

  • MD5

    8232aa26c35a5c0e65e5de1c26dda123

  • SHA1

    3d6b0e100f43dc1a4b8ce4c78cbb03169f5001b1

  • SHA256

    5abfd9a755941262e7c68d0d64a15260810cd9ec73244287c957c316c587a3e1

  • SHA512

    8d289e9c1dc1c184ba50a41363a4eba4f5ed89988cac80353af48325e6cfa465450f0f2c89cf7b2b7b864ff30f4770bae3ad85513479a6a3455038e8f8dc5b63

  • SSDEEP

    393216:mqnsH7L9RseITuHE/8zeSL5rFpgRwK1RGWb1j6l:m10dTIZzeSL5x6SK1Rt

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistencethemidatrojan

Malware Config

Targets

    • Target

      weave.exe

    • Size

      15.4MB

    • MD5

      8232aa26c35a5c0e65e5de1c26dda123

    • SHA1

      3d6b0e100f43dc1a4b8ce4c78cbb03169f5001b1

    • SHA256

      5abfd9a755941262e7c68d0d64a15260810cd9ec73244287c957c316c587a3e1

    • SHA512

      8d289e9c1dc1c184ba50a41363a4eba4f5ed89988cac80353af48325e6cfa465450f0f2c89cf7b2b7b864ff30f4770bae3ad85513479a6a3455038e8f8dc5b63

    • SSDEEP

      393216:mqnsH7L9RseITuHE/8zeSL5rFpgRwK1RGWb1j6l:m10dTIZzeSL5x6SK1Rt

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistencethemidatrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks