General
-
Target
Blocker.exe
-
Size
11.7MB
-
Sample
241117-q8hbjs1gmn
-
MD5
abce79a1271e035df29190ed1be30eb5
-
SHA1
5ff988b7dd16db91ae1e98e46016530ede87e686
-
SHA256
e0a228f8bc9eeec5d2bf5a9107288283cd88fc487ecb0037240ae4856d80c75f
-
SHA512
1f3f218f63f24cc487947752d1dac3db5c10a12898a7201f92776d3f2f37feac36a6fc502aaf1d92a6397d934905fa3b9700ec83a2c987c99ced4529658d8bb1
-
SSDEEP
196608:Bvb2egzMCEhCrbsk6usRqtRDTQFx7OElz6xXRJCySVYWQVNXApOnWvzS:t2pMpho96usRqt9TWfhQBJCTSWcNXAEV
Behavioral task
behavioral1
Sample
Blocker.exe
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
Blocker.exe
-
Size
11.7MB
-
MD5
abce79a1271e035df29190ed1be30eb5
-
SHA1
5ff988b7dd16db91ae1e98e46016530ede87e686
-
SHA256
e0a228f8bc9eeec5d2bf5a9107288283cd88fc487ecb0037240ae4856d80c75f
-
SHA512
1f3f218f63f24cc487947752d1dac3db5c10a12898a7201f92776d3f2f37feac36a6fc502aaf1d92a6397d934905fa3b9700ec83a2c987c99ced4529658d8bb1
-
SSDEEP
196608:Bvb2egzMCEhCrbsk6usRqtRDTQFx7OElz6xXRJCySVYWQVNXApOnWvzS:t2pMpho96usRqt9TWfhQBJCTSWcNXAEV
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1