General

  • Target

    633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.zip

  • Size

    70KB

  • Sample

    201021-y655xxpdya

  • MD5

    be549d09f087fbfe1a768526f57d645d

  • SHA1

    42a81011c264e9278b93aed45f9a4f5e8ddab54a

  • SHA256

    e881b128013e2c244a957ae86813864125c36edd24e9c2518beebdcf22aee4b2

  • SHA512

    77fec122109fe4c004dd257d412295c9a77aab368a969c8ba9c880fa0ebd2dbf0ed1302ce577c57ba951aeb7370096d0524034dd221ba95fbb56bed3d4c8d1f2

Malware Config

Targets

    • Target

      633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.exe

    • Size

      1.2MB

    • MD5

      ad90a317e686b1ab9db651c97ee448b2

    • SHA1

      5a2e9db7daa14511f8fb4e5a9e93e9721d68e593

    • SHA256

      633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2

    • SHA512

      65ebd80b4118d41acc1371ede9a9ee4b37011ed2a03dc7751d3e6d3fc92b9bb6956a442e8c38266bd5c97afdd4d68ebc1657ff2faf35c42e9d28aadf15006353

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Possible privilege escalation attempt

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Impact

Inhibit System Recovery

2
T1490

Tasks