General

  • Target

    oh no.zip

  • Size

    607.9MB

  • Sample

    240927-yxpv9axcpp

  • MD5

    d2f3e3224e3880b935fddcf9c028d88e

  • SHA1

    526bfb47d8bd3834c508c2af3acd04fcec603502

  • SHA256

    18787f859db9b4df0cf089d0a8d3229847300b22ee1e5c6f2c1f34d2013b6cc6

  • SHA512

    86f388e2a1fc14fc97f429001556c6b994827905486d7398e0be931c3c78e4fd4a035183cf5cf4e035b60ef2d5341d6a96f65574471d86d3e1a80c1677d6f04d

  • SSDEEP

    12582912:GyBC6vFaxboAPzxahwHlxHVfyV8ZyqsKb8bqs0qs63FDnR3:zTMloMzx1jHVKV8ZdsAs7s6xR3

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://github.com/romkatv/powerlevel10k-media/raw/master

Extracted

Language
ps1
Source
URLs
exe.dropper

https://downloads.malwarebytes.com/file/adwcleaner

exe.dropper

https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe

Targets

    • Target

      oh no/Permanent Spoofer/Spoofer.exe

    • Size

      2.7MB

    • MD5

      812b3e8694648f3049a0cb27f89aaedf

    • SHA1

      aaefe708a73044e855e3b2fec29267cc975f70ca

    • SHA256

      9cf81914030b67759112485c3f7fbf66286edd38e9a8bf93b5543e0cff582bd2

    • SHA512

      56dbbcd0db89fc62deac4097ba8bc4d2fff59c02600a17a1e0983b39d08c717f227da43843de791f2f8884c471488b546b7bf979bc973ce00d4ac05aa1c43740

    • SSDEEP

      49152:WXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVSV33:WXzhW148Pd+Tf1mpcOldJQ3/V0

    • Modifies visiblity of hidden/system files in Explorer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      oh no/Permanent Spoofer/spoofer.exe 

    • Size

      157KB

    • MD5

      407f16d056d7bbfc4f50042565aaf71c

    • SHA1

      183a360c72e6fe19e367acc3a63fc64b7b987747

    • SHA256

      fcd04587bc69ac61f1d59897fb35f248a1f97a3549df838d00321d73d65fe570

    • SHA512

      6829e640918a28017e44c69647f8842825b5161b710afcee315c5afdad52248925912fb0614767d4b911712a7608a1a9a68a992a6121fcba2f785c131895e271

    • SSDEEP

      3072:dDAikNUWzo0qGzruZW0qM05mw1mJTQSaMm5/6nHeeP1Gp:5AqW0pdxWlqeeP1Gp

    Score
    4/10

MITRE ATT&CK Enterprise v15

Tasks