Overview

overview

10

Static

static

7

Predstavle...cx.exe

windows10-1703-x64

10

$TEMP/rupedoras.exe

windows10-1703-x64

10

$TEMP/zapros.docx

windows10-1703-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Predstavlenie № 6-51-2024 .docx.exe

  • Size

    11.3MB

  • Sample

    240515-l2gzzscd48

  • MD5

    45ae0c08a1fb98fe77e4cd127b79ef7d

  • SHA1

    12c7847fc2567ee9e6c0010f5c311753c017fa48

  • SHA256

    bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e

  • SHA512

    21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd

  • SSDEEP

    196608:fxtCbFLyXyLm+2WzU4qrVTcHHRBTue9iSoCVMbgb/x3/18afx:fWxL4S2kCVsHRsekTCVxhjx

Score
10/10
darktrackevasionpersistenceratstealerthemidatrojanupx

Malware Config

Targets

    • Target

      Predstavlenie № 6-51-2024 .docx.exe

    • Size

      11.3MB

    • MD5

      45ae0c08a1fb98fe77e4cd127b79ef7d

    • SHA1

      12c7847fc2567ee9e6c0010f5c311753c017fa48

    • SHA256

      bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e

    • SHA512

      21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd

    • SSDEEP

      196608:fxtCbFLyXyLm+2WzU4qrVTcHHRBTue9iSoCVMbgb/x3/18afx:fWxL4S2kCVsHRsekTCVxhjx

    Score
    10/10
    darktrackevasionpersistenceratstealerthemidatrojanupx

    • DarkTrack

      DarkTrack is a remote administration tool written in delphi.

      ratstealerdarktrack

    • DarkTrack payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      $TEMP/rupedoras.exe

    • Size

      11.2MB

    • MD5

      d483c1a9718cf5d880b3cce5d6ff7423

    • SHA1

      72be5e949dd6923a43e7eaab1811baea4bc4b644

    • SHA256

      8df595a1528a09fdcfe237a7dd1009d1380a886875747d1b145925968463f7bd

    • SHA512

      370e220b3bdb617a12479db075ee26741075306ce7a72237115b2d79c452baadf931ccf3b422e9d0ef1eb0138316c3233f3ecd27074f3e797dc20ee974eb6fe4

    • SSDEEP

      196608:BtCbFLyXyLm+2WzU4qrVTcHHRBTue9iSoCVMbgb/x3/18af:mxL4S2kCVsHRsekTCVxhj

    Score
    10/10
    darktrackevasionratstealerthemidatrojanupx

    • DarkTrack

      DarkTrack is a remote administration tool written in delphi.

      ratstealerdarktrack

    • DarkTrack payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      $TEMP/zapros.docx

    • Size

      11KB

    • MD5

      9871272af8b06b484f0529c10350a910

    • SHA1

      707979b027f371989fb71e36795b652a2d466592

    • SHA256

      c2a256547433bec8d7afbed923f453eb2df978f18ed498e82bb2b244b126a9f3

    • SHA512

      5bd60de706ed3ef717177b08fa69ebc8117fe52bf53e896b91d102430b4b976b136f2df75fe4d1cb9cf16f5e73052e030e364bdf212148b1471e9c2b99f76a4c

    • SSDEEP

      192:CtNCOdi9y6MGLnTCXK8b5o5psQrW8t6I6YjyodJYUeUgPm6E9S7P:aN9di9SQCXK3gQa8QI6gldSUezPmzAP

    Score
    1/10
    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

9
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks