Overview

overview

9

Static

static

3

Terminator3.1.exe

windows7-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Terminator3.1.exe

  • Size

    2.0MB

  • Sample

    240428-rtq6ksab21

  • MD5

    2bc248da7543ff3e8a7aeb2353d4daa7

  • SHA1

    2ab295c16a8b762a26b37dc71c08dacda6bf8bbe

  • SHA256

    e8419d5bb0db3e945ca90579f079fdf907237defe8017c63e0188b2de518b1d3

  • SHA512

    3bb822b668506fac45d803b7ebe2b5d5bd2ca9d851746ceedb02619fc9c1f54648a720a7d9fde6e29bb7ac017fefb721c55b2de64f5eeada3e6f2d11f3fefbdf

  • SSDEEP

    24576:qD/RbUThN+XbXgZruqHrawhaUTFR7mDdsrsG5UHulCXR+xaTSfoY4f0y3QzpCy8v:qjRbU2XlqHBNpEdsC5TSf

Score
9/10
bootkitpersistenceransomwarespywarestealerupx

Malware Config

Targets

    • Target

      Terminator3.1.exe

    • Size

      2.0MB

    • MD5

      2bc248da7543ff3e8a7aeb2353d4daa7

    • SHA1

      2ab295c16a8b762a26b37dc71c08dacda6bf8bbe

    • SHA256

      e8419d5bb0db3e945ca90579f079fdf907237defe8017c63e0188b2de518b1d3

    • SHA512

      3bb822b668506fac45d803b7ebe2b5d5bd2ca9d851746ceedb02619fc9c1f54648a720a7d9fde6e29bb7ac017fefb721c55b2de64f5eeada3e6f2d11f3fefbdf

    • SSDEEP

      24576:qD/RbUThN+XbXgZruqHrawhaUTFR7mDdsrsG5UHulCXR+xaTSfoY4f0y3QzpCy8v:qjRbU2XlqHBNpEdsC5TSf

    Score
    9/10
    bootkitpersistenceransomwarespywarestealerupx

    • Renames multiple (234) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops startup file

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks