91697fa6d5e1a59f0c71e7ae0f2a8928879a8522901153708d09bfe430bfa7cb | Triage

Sharing

General

Target

02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.zip
Size

42KB
Sample

201108-54wxtbps2j
MD5

5c4eef04d4cc784db523db69d318ec37
SHA1

05379d8b977a63f463564d49078fece90cc8f3a9
SHA256

91697fa6d5e1a59f0c71e7ae0f2a8928879a8522901153708d09bfe430bfa7cb
SHA512

9c4173707347dc87aef68d01990c57c8e8f7d16a728d1b9fad9d668550f5391e0694d8e8b313f6f9c1e0cecdb4f2377446f1d427bf245dbe81b218da6eeba1d4

Score

8^/10

bootkit persistence ransomware

Malware Config

Targets

- Target
  
  02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df
- Size
  
  54KB
- MD5
  
  cdb6e431b4eeb2909b1cf198f70ae444
- SHA1
  
  98205803babd17587e99913934eb6975c3dc8779
- SHA256
  
  02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df
- SHA512
  
  c24c5b4c3d1b9355db8e82aa3c1c228e12b107c2f2ad76ac5e1ec62dda516cbe2237b1839547ff80e9059a3f2debc1cf07daf30dc3dad2b579aa4eddb9ba33a0
Score

8^/10

bootkit persistence ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

bootkitpersistenceransomware