General

  • Target

    Blocker.exe

  • Size

    11.7MB

  • Sample

    241117-q8hbjs1gmn

  • MD5

    abce79a1271e035df29190ed1be30eb5

  • SHA1

    5ff988b7dd16db91ae1e98e46016530ede87e686

  • SHA256

    e0a228f8bc9eeec5d2bf5a9107288283cd88fc487ecb0037240ae4856d80c75f

  • SHA512

    1f3f218f63f24cc487947752d1dac3db5c10a12898a7201f92776d3f2f37feac36a6fc502aaf1d92a6397d934905fa3b9700ec83a2c987c99ced4529658d8bb1

  • SSDEEP

    196608:Bvb2egzMCEhCrbsk6usRqtRDTQFx7OElz6xXRJCySVYWQVNXApOnWvzS:t2pMpho96usRqt9TWfhQBJCTSWcNXAEV

Malware Config

Targets

    • Target

      Blocker.exe

    • Size

      11.7MB

    • MD5

      abce79a1271e035df29190ed1be30eb5

    • SHA1

      5ff988b7dd16db91ae1e98e46016530ede87e686

    • SHA256

      e0a228f8bc9eeec5d2bf5a9107288283cd88fc487ecb0037240ae4856d80c75f

    • SHA512

      1f3f218f63f24cc487947752d1dac3db5c10a12898a7201f92776d3f2f37feac36a6fc502aaf1d92a6397d934905fa3b9700ec83a2c987c99ced4529658d8bb1

    • SSDEEP

      196608:Bvb2egzMCEhCrbsk6usRqtRDTQFx7OElz6xXRJCySVYWQVNXApOnWvzS:t2pMpho96usRqt9TWfhQBJCTSWcNXAEV

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks