General
-
Target
filmora_setup_full1081.exe
-
Size
2.0MB
-
Sample
240630-wk361avekn
-
MD5
2cebe47b7173d9c5347df5fefda7aa4d
-
SHA1
47fd78c898c19450e8b4392b2db648513b50a8aa
-
SHA256
c9965088b9c0333c1f95e4d0738cee30bce1297e6c51cdf9493ace105b95d098
-
SHA512
f069ea55e7db63c4b799a9a924ba20f7722cb01ad7b3f8d5f3e98368d2c8f784d088fcbd18929200b8188d1abdd3da89ffef98e2ac31c7240dd21fe50cecf62d
-
SSDEEP
49152:H05czfx+MZ5oqTGOFDyhFufVjypTQa9NSab8us1:HIczfX6mjFtfVm9NG
Malware Config
Targets
-
-
Target
filmora_setup_full1081.exe
-
Size
2.0MB
-
MD5
2cebe47b7173d9c5347df5fefda7aa4d
-
SHA1
47fd78c898c19450e8b4392b2db648513b50a8aa
-
SHA256
c9965088b9c0333c1f95e4d0738cee30bce1297e6c51cdf9493ace105b95d098
-
SHA512
f069ea55e7db63c4b799a9a924ba20f7722cb01ad7b3f8d5f3e98368d2c8f784d088fcbd18929200b8188d1abdd3da89ffef98e2ac31c7240dd21fe50cecf62d
-
SSDEEP
49152:H05czfx+MZ5oqTGOFDyhFufVjypTQa9NSab8us1:HIczfX6mjFtfVm9NG
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks whether UAC is enabled
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Pre-OS Boot
1Bootkit
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1