General

  • Target

    Checkm8.info_Software_5.2.1_win.zip

  • Size

    149.6MB

  • Sample

    240922-yp19bavfnr

  • MD5

    b693e05e87ef2d43c1bd70d850d41c7c

  • SHA1

    289bb62b2741437153e501740d796425957f9040

  • SHA256

    57e3dd38216d55e7f71e20580ec8cf806501bf13ebef7043c11596719f4666c5

  • SHA512

    78e32b15007330ed0027f20b4729a14e2e51a82208ce0c3d3792a3fcb629bace263ab8779800f33b0bd02feaeb6be860ce29c3905ccf43ca3497049e0b2680a6

  • SSDEEP

    3145728:oWIUTjvtdjupkXsCsWT9Py9GWZsFi8qjTd/HTQg/MyTB/C3bD7IsTzvo0FmVIKI:oWIQtpupEsCsWRQG2sFdqHdt0Qa7IsHt

Malware Config

Targets

    • Target

      Checkm8.info Software.exe

    • Size

      153.2MB

    • MD5

      179814f79366e207795be377253a3c51

    • SHA1

      2442b8e3af558da13ab361ef2b0aca3ede8cf09a

    • SHA256

      1331e7d924be8fd46e70a051fb978b935de4a4e2d792a25dcd1274556012566e

    • SHA512

      5a51a93a22b0640d79bd5e5ee98454add613a5ef1111fece30ea48662da6b9cf45607098949098c5051991a84594e6278e7fd7d152386af316c8b18195a07740

    • SSDEEP

      3145728:iK/uTmMTIdJQke9jZdKaCp5CECqAW6oZ6AsBY/lwMD8iaffDe0/wDe0/0XUm/:icMTITQke9jrKaC3CEpT6oOmyKqDe04m

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks