General

  • Target

    5678891285118976.zip

  • Size

    642KB

  • Sample

    201103-2nx758w2qs

  • MD5

    c2a4297c476443a72202341f4b867f5d

  • SHA1

    6a5364eeafc01f0563b59d370d15519148532a81

  • SHA256

    fc11050f29c333b365df4fc8788985668bcdb6095a5874e01f68986b37bee065

  • SHA512

    f598fb3618dce38009af2775bd7175d4281c18faaa0b00ae03b89d47103f2258d0819873e9e61f5911c2dca8841970febe16e5ca520ebacd1c6d074c49171ab1

Malware Config

Targets

    • Target

      4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f

    • Size

      1.3MB

    • MD5

      499c0ce4d95fc22c33ca1d3812208bcc

    • SHA1

      8ddf753af17768f0fb32b6e1697bd1fd87ab4433

    • SHA256

      4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f

    • SHA512

      03c855ee390e7910e8429b93a5c48b1d03b69f2b58f1eb306a2b7173948833bed8fe8a6ba334ea7778899783c0de59e9f233d9bb25bc3a904ea1b53ade4c10d7

    • Ouroboros/Zeropadypt

      Ransomware family based on open-source CryptoWire.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks