Overview

overview

9

Static

static

7

cli_gui.exe

windows7-x64

9

cli_gui.exe

windows10-2004-x64

9

cs2.exe

windows10-2004-x64

1

syscfg.dll

windows7-x64

9

syscfg.dll

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    waveypkg.7z

  • Size

    8.3MB

  • Sample

    240928-h7c2fawbmg

  • MD5

    fba86310680ddf6dc9cef8574d9f4b7f

  • SHA1

    2749e6705098cf2a1e4fadb9400793a8385bc4a2

  • SHA256

    609f4bb6eccf5d6c2f4bdb753d9b5d01a39b930b852231b634023a58bb3d2c7f

  • SHA512

    b56db07dd678e7a3aabef453555ccf6bdd55550236884283eeeb574d7bf96b4fafc3f7bc817df6f809f9b95c8e9527eba3b15564f88a3d8ac67df092c1471efc

  • SSDEEP

    196608:d/O71yTIbqDbTcrCzTzB2vn9Tsy/SQSQLQeC1E8:/TfnSCzT4v9J6QF4

Score
9/10
evasionexecutionthemidatrojan

Malware Config

Targets

    • Target

      cli_gui.exe

    • Size

      2.9MB

    • MD5

      8f21c4390128917bf5af5c2ee3fbc592

    • SHA1

      733cc166b3161772755edf69314003a4a5e87953

    • SHA256

      78b628830cd84013ba1bdab6c5f4a1529f828119157a77d212d86e82f35a817b

    • SHA512

      c5116b27a4f722168c934319cd804a0390490be8341f27d39337877ce1c14e72c3dcdf725b982961c14de0a3da96362f2a9d4f4c486b7658c87c4801155cb015

    • SSDEEP

      49152:uMIG/+UMupsmDgHBXJOUQPlYpKmV9NGP7nvvUp6bSi3s4WYi2A0sOPxDcPC7i:dL/XkDuaKqPKnUSlbUSiPEi

    Score
    9/10
    evasionexecutionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      cs2.exe

    • Size

      283KB

    • MD5

      8a2122e8162dbef04694b9c3e0b6cdee

    • SHA1

      f1efb0fddc156e4c61c5f78a54700e4e7984d55d

    • SHA256

      b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

    • SHA512

      99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

    • SSDEEP

      6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT

    Score
    1/10
    behavioral3

    • Target

      syscfg.cfg

    • Size

      5.4MB

    • MD5

      742f1cee0055e6cd5efb4c9c189e67fc

    • SHA1

      15810c4034df74659c2b70d49de693b0e8bd021c

    • SHA256

      4a7d70f8c6e7286606f5cd78b38d84e1558e303da6c51e63dc48ff3ce55b3ed3

    • SHA512

      3beb8d2b548be6d078920d7634a7f335e1adf27c27e135971c177e76cb0e27506d8aadaca58ee8baf362f284c36afc8bac8cf48bf2cff56d747053a7625ea020

    • SSDEEP

      98304:I28M284gsA5EtsVitbdwl1PSE4dtOc04zpo0FnquMsO7xJdam9o1mq:L8MqgszkCbduZhc0yoMM7BaUtq

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Tasks