General

  • Target

    notepad (2).exe

  • Size

    7.7MB

  • Sample

    240827-rd9mzsthqc

  • MD5

    9d7fef66dc4986975e8fafbd9662f3ba

  • SHA1

    2f3f244cc09c7470ba143dff36252089d4894e49

  • SHA256

    3b580645f8fc0d21da5ef9c755f4d4b794434305dc0e507e13c67ef6bc03f4b8

  • SHA512

    ef983275a0ed6c389e1568e8f7b6c3d22bf9214fe1939f979715d392f115d3ab7ed27168035747c8130242c87a12666dc4d301ab490901b3bda127d82af76580

  • SSDEEP

    196608:QysjwLcUG4raKu24YY7HVT4hV0AD6QgqKRgX:fRmKr4YYH+EUWpgX

Malware Config

Targets

    • Target

      notepad (2).exe

    • Size

      7.7MB

    • MD5

      9d7fef66dc4986975e8fafbd9662f3ba

    • SHA1

      2f3f244cc09c7470ba143dff36252089d4894e49

    • SHA256

      3b580645f8fc0d21da5ef9c755f4d4b794434305dc0e507e13c67ef6bc03f4b8

    • SHA512

      ef983275a0ed6c389e1568e8f7b6c3d22bf9214fe1939f979715d392f115d3ab7ed27168035747c8130242c87a12666dc4d301ab490901b3bda127d82af76580

    • SSDEEP

      196608:QysjwLcUG4raKu24YY7HVT4hV0AD6QgqKRgX:fRmKr4YYH+EUWpgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks