Overview

overview

10

Static

static

7

loader_spoff.exe

windows10-1703-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    loader_spoff.exe

  • Size

    14.8MB

  • Sample

    240902-f29gcatflb

  • MD5

    599a4fb8c831911b34006b625fdf01f8

  • SHA1

    24d46fd642fc6054a50206fd2ac345b91aac33b6

  • SHA256

    afa307461c073e2105ba5e46415ef924bc53473a4679c9c00a8f7289e64d4b2e

  • SHA512

    1b3f74c74856236de0980a67900fdaeeec549fb8ee8f368eec3f0c57fc685a60f16513503c0b3c3c1f5e3cef9ce1454bc08139f5ef4fd4761ec4be34e9f242ba

  • SSDEEP

    196608:o9huXbljcZCmOXWKlmADLZlAJK3SUMzN5UA+EU8M4doL/r+UAhphS9ulLLqJRxKb:o9GjcKWK0LKNiskVm/iFScRLGK3h1p6i

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceransomwarethemidatrojan

Malware Config

Targets

    • Target

      loader_spoff.exe

    • Size

      14.8MB

    • MD5

      599a4fb8c831911b34006b625fdf01f8

    • SHA1

      24d46fd642fc6054a50206fd2ac345b91aac33b6

    • SHA256

      afa307461c073e2105ba5e46415ef924bc53473a4679c9c00a8f7289e64d4b2e

    • SHA512

      1b3f74c74856236de0980a67900fdaeeec549fb8ee8f368eec3f0c57fc685a60f16513503c0b3c3c1f5e3cef9ce1454bc08139f5ef4fd4761ec4be34e9f242ba

    • SSDEEP

      196608:o9huXbljcZCmOXWKlmADLZlAJK3SUMzN5UA+EU8M4doL/r+UAhphS9ulLLqJRxKb:o9GjcKWK0LKNiskVm/iFScRLGK3h1p6i

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistenceransomwarethemidatrojan

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Time Providers

1
T1547.003

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Time Providers

1
T1547.003

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Impair Defenses

1
T1562

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Time Discovery

1
T1124

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

1
T1485

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Tasks