723b879afabf3e4bbf627a1e9f2dbcd63709891d893cc625965e4828f8125aa1

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FabricSodium 1.16.5/Launcher_FabricSodium.exe
Size

2.5MB
MD5

ca4f58eadef98285c4284f83606193b2
SHA1

6590624f9a309a24701576cc9318d96efdfc9afc
SHA256

2f17b30ac709435cc9acdab1ceedf78209a7aefe14de6d9b098666c1e3f70b67
SHA512

3c2dac13127ebe7e8dfbdba96d092b63c85a10ee9b7d9e6f22e7adf27100372f0e3e213649d06b7de86bd4787ff898836b895042a649a6ee7da4eba2d2187939
SSDEEP

49152:wzf6V1jqp9ekTDKSxfHLqY+xKkmyLW5RhM0glo:wzyV0pnfOtIFIlo

Score

10^/10

bootkit defense_evasion discovery persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Launcher_FabricSodium.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Launcher_FabricSodium.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Launcher_FabricSodium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher_FabricSodium.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2660	Launcher_FabricSodium.exe
Token: SeRestorePrivilege	2660	Launcher_FabricSodium.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	Launcher_FabricSodium.exe

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Launcher_FabricSodium.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Launcher_FabricSodium.exe

C:\Users\Admin\AppData\Local\Temp\FabricSodium 1.16.5\Launcher_FabricSodium.exe
"C:\Users\Admin\AppData\Local\Temp\FabricSodium 1.16.5\Launcher_FabricSodium.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2660