94e4e8b432c9b4e92b0947ba012a9cee8485d7e68d2e0010fc73217cd8258317 | Triage

Sharing

General

Target

94e4e8b432c9b4e92b0947ba012a9cee8485d7e68d2e0010fc73217cd8258317N
Size

1.1MB
Sample

241012-mcp5qszeql
MD5

209f1ae8c9fbd77b44117c900814bfe0
SHA1

94b0857f5cbbfa7fa669229bea0b818b0f86bf36
SHA256

94e4e8b432c9b4e92b0947ba012a9cee8485d7e68d2e0010fc73217cd8258317
SHA512

92db045d882029b45667002910798f16bf86b540fe0ff1e162cd7c352b18fdfa40f46fb269da422c070fa4cfebcca494bb67bcccd40a94f0e5752a5298b46012
SSDEEP

24576:a9uaDyM3MU5sPYhkzqKietCBZLbrvKH43NKYJLWYJL:a9OM3sUk+KUnrvKH4YYFWYF

Score

10^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Targets

- Target
  
  94e4e8b432c9b4e92b0947ba012a9cee8485d7e68d2e0010fc73217cd8258317N
- Size
  
  1.1MB
- MD5
  
  209f1ae8c9fbd77b44117c900814bfe0
- SHA1
  
  94b0857f5cbbfa7fa669229bea0b818b0f86bf36
- SHA256
  
  94e4e8b432c9b4e92b0947ba012a9cee8485d7e68d2e0010fc73217cd8258317
- SHA512
  
  92db045d882029b45667002910798f16bf86b540fe0ff1e162cd7c352b18fdfa40f46fb269da422c070fa4cfebcca494bb67bcccd40a94f0e5752a5298b46012
- SSDEEP
  
  24576:a9uaDyM3MU5sPYhkzqKietCBZLbrvKH43NKYJLWYJL:a9OM3sUk+KUnrvKH4YYFWYF
Score

10^/10

discovery evasion persistence privilege_escalation trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalationtrojan