General
-
Target
1997ce14984d4934d8de66cffd04ae80N.exe
-
Size
2.0MB
-
Sample
240822-wrmslatamj
-
MD5
1997ce14984d4934d8de66cffd04ae80
-
SHA1
6ee9ecae95f8246284df2301f87ac4e688a63e38
-
SHA256
c77d02ff3c121a9b6f1363abc64e6daeb1f183df47f3e95802092c0712a988a4
-
SHA512
1f9ca7d99bae63b8f1da115121c17f0b7e6e8b2d4fc93f8b360ca41ac03e0958cf4731083a3017a9911cae89a11dd703d0fb3cbede99a1235fe7bb3ea47c907e
-
SSDEEP
49152:AHyPzhp8e40llgHZr4WeSUoKXEnorZ3HGP0gZ/szKn:9P4mlg5rXKXEMmP0gyA
Malware Config
Targets
-
-
Target
1997ce14984d4934d8de66cffd04ae80N.exe
-
Size
2.0MB
-
MD5
1997ce14984d4934d8de66cffd04ae80
-
SHA1
6ee9ecae95f8246284df2301f87ac4e688a63e38
-
SHA256
c77d02ff3c121a9b6f1363abc64e6daeb1f183df47f3e95802092c0712a988a4
-
SHA512
1f9ca7d99bae63b8f1da115121c17f0b7e6e8b2d4fc93f8b360ca41ac03e0958cf4731083a3017a9911cae89a11dd703d0fb3cbede99a1235fe7bb3ea47c907e
-
SSDEEP
49152:AHyPzhp8e40llgHZr4WeSUoKXEnorZ3HGP0gZ/szKn:9P4mlg5rXKXEMmP0gyA
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Virtualization/Sandbox Evasion
2