General
-
Target
5d295dde33c5d410dc4d0d05.zip
-
Size
439KB
-
Sample
240913-vvmrbsyhqd
-
MD5
ebc73149f7ba97550f86a66b210ef8e3
-
SHA1
3606e6f2d153ce90ba64d9be290fa44f129eef37
-
SHA256
474fe4abd760d5c71fcb5ef7e654f9243691948275ed7df6df3274bc3e8c745d
-
SHA512
5b1e11bf0cadc653b831b5fe235a2d97e37ff97c3bfceaddc4b789a631c1467d064d4386c35c082c12fccdc92e7baa7ef06651ee65a14f0c45d1aa0668d064b8
-
SSDEEP
12288:E83Gb3qNsRUTWiKdLAKPa/uM5VB4j3JvLPZK:TsmsmCx8ia/L5vKzBK
Malware Config
Targets
-
-
Target
5d295dde33c5d410dc4d0d05.zip
-
Size
439KB
-
MD5
ebc73149f7ba97550f86a66b210ef8e3
-
SHA1
3606e6f2d153ce90ba64d9be290fa44f129eef37
-
SHA256
474fe4abd760d5c71fcb5ef7e654f9243691948275ed7df6df3274bc3e8c745d
-
SHA512
5b1e11bf0cadc653b831b5fe235a2d97e37ff97c3bfceaddc4b789a631c1467d064d4386c35c082c12fccdc92e7baa7ef06651ee65a14f0c45d1aa0668d064b8
-
SSDEEP
12288:E83Gb3qNsRUTWiKdLAKPa/uM5VB4j3JvLPZK:TsmsmCx8ia/L5vKzBK
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Network Share Discovery
Attempt to gather information on host network.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
2Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
6System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
1