0f1bf8c193b4aa0ec51cbcfe3fa36188c0479291df077ed0ffe37d78db8eaf6f | Triage

Sharing

General

Target

wtava.zip
Size

467KB
Sample

200621-wraj43zgpa
MD5

77672b424b2890a77c18a5ec09a8f21c
SHA1

c48060eb19c19e9b009167158e03dce0c5bde83c
SHA256

0f1bf8c193b4aa0ec51cbcfe3fa36188c0479291df077ed0ffe37d78db8eaf6f
SHA512

e48f1dbc4148d64045d04f1b53ced5f39146e82115bdeefa2aa4a895f913952fde360ecafb3996ca1e7a456574d276ca6ba4eb10f0e425b905fcca345b987d2c

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Targets

- Target
  
  wtava.bin
- Size
  
  1.1MB
- MD5
  
  6c660f960daac148be75427c712d0134
- SHA1
  
  b3c597060abc20d3b3291f8b5252a3834d49b92f
- SHA256
  
  fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6
- SHA512
  
  48806df9787497cbf55a85a523c8e703aec1bb262c60a019ab45f420a87d016054a97dc428484bd5c2f7ba1c3f57a37d807fc4e1de487dbef1c76dc38fbf8fe0
Score

10^/10

evasion trojan persistence ransomware
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Adds Run entry to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasiontrojanpersistenceransomware

behavioral2

persistenceevasiontrojanransomware