ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc | Triage

Sharing

General

Target

ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc.xlsb
Size

101KB
Sample

201120-4df418zela
MD5

736e81cce9c84c0f3de65ed475bde501
SHA1

781ee5c6fd1293059ef9295be072777bc9d192a1
SHA256

ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc
SHA512

5fe2317508c921e38fb65722cd36ca5cd1c3ebb03c0cf27d9311d51126edfa16d09845cb4819a4005061167953bce6cca288d13659859813fc03882e88bc382a

Score

8^/10

bootkit macro ransomware

Malware Config

Targets

- Target
  
  _rels\.rels
- Size
  
  588B
- MD5
  
  2a3f7b12227dde4202a1ea2de7844031
- SHA1
  
  2fa82d298c553872ff3f741bdedb28aa43e64f46
- SHA256
  
  9741bf9066c5af654dc221e71608e58f57eab5c050f83491d079f3152836a0f1
- SHA512
  
  dcd46a70c9586c4fa08b6e4231b6725e936b91345d7723c7a4aa031b713f75de3e99cbaf2b12abf0ccfc28cf192e3c7f454ae59488e9446a54a0dfdad6a048ff
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral1 behavioral2
- Target
  
  xl\_rels\workbook.bin.rels
- Size
  
  1KB
- MD5
  
  1bf1dcc87700b346bdb3cc8db03db6e7
- SHA1
  
  d810ab0a9d3cd5c0e0651888479370507a919c61
- SHA256
  
  24ea18c61240985f7258313f6fa3d428e4ffab52d3465f9c16d7ea7532d9263b
- SHA512
  
  9169df9853715aec803d068f60f0ae9ce1156da998383ea543814666cd6a4d55cd8b0fdffb68bd92502a952828e7005667de006ed4457b858a1a5a00315cfe17
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral3 behavioral4
- Target
  
  xl\drawings\_rels\drawing1.xml.rels
- Size
  
  292B
- MD5
  
  f866b24afa35a970675eefc93fab93da
- SHA1
  
  e5b1a3cde2ad35b097c1fd48e68611c18c22cd16
- SHA256
  
  15a140b2ab9e3d49a7b49f824413744cc4959bc34c427cf50f7d6016697293c0
- SHA512
  
  b11963f7c07ce0a247a1783d3d9675f0ad4a7e41ba5b1a1b91bb2e4b495c6a68bd154c66db6a8baf405b9854ee54726f7ad191c6ce1707fc7e2ded782b6b668b
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral5 behavioral6
- Target
  
  xl\macrosheets\_rels\sheet1.bin.rels
- Size
  
  449B
- MD5
  
  8a575cf1472de8dd8bd4975c92da416f
- SHA1
  
  bcfb86a68db5c2b1991c855271cb90ff6f58f5c3
- SHA256
  
  309817f94568205625486c3a39c79566395adfa2919527392ba5f80be723d6aa
- SHA512
  
  fc90c42ddc6c2fe99d313979c957a5877383a270f1bd5bea97cda269b104f09e15ae82029a558fbdaa47646ea85afff0a82dc7d85d45e3c56e72ef50187368bc
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral7 behavioral8
- Target
  
  xl\vbaProject.bin
- Size
  
  14KB
- MD5
  
  8c4bba9bd06c94b6e58fcbbc54f28965
- SHA1
  
  af52b0e97a68558cf8fd989f4015611291a0201f
- SHA256
  
  a0784c2fd2801d6eddb259be10862f7018e7502e128f6b002521918dbeaed18d
- SHA512
  
  786a05fe1b0ebdd4dc57b8462ada70f7afe439b931b9d0f46afa52efe4e4a1bee739756cf0754d7d8e3b111dc7faaf9594b9734231d05e5f7af2a577a87e7c9f
Score

1^/10
behavioral9 behavioral10
- Target
  
  xl\worksheets\_rels\sheet1.bin.rels
- Size
  
  426B
- MD5
  
  0693b65fe6bef757063ca1a159f408e4
- SHA1
  
  dc3cc79ec9bd5bf5ec17568ee440eda54afedf96
- SHA256
  
  b8ac9a9a5e73a60199fcee1b84c1862aecc723127223ea4048c20a7e34fb8a00
- SHA512
  
  38f047021d628a01470e6933f19c65d2a8cdf59179f9bd34a3f4881e244f3deaf1fd021a94444f789cdeb3f0ce8fee3b3715d69797be2333e9321ae4c4ee2495
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral11 behavioral12
- Target
  
  xl\worksheets\_rels\sheet2.bin.rels
- Size
  
  284B
- MD5
  
  304aa927ec330c0b3b90bcc9b2cb78d1
- SHA1
  
  3d398ca2c3fe150b48bc50182d64b553a2269185
- SHA256
  
  941f6fe30e57c633d1171cdfe832fec4e27dcccaeb3d49880b165b9a8d27aaa6
- SHA512
  
  ad2a8ed61b81995d655d869cfeee3b322889c66424b3c77fa6318127aa6b8fb8baae8b67fb4a48555ad913f8c4c7e16d4daf8165c2d4ddd4291156d2bd2e7059
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

bootkitransomware

behavioral3

behavioral4

bootkitransomware

behavioral5

behavioral6

bootkitransomware

behavioral7

behavioral8

bootkitransomware

behavioral9

behavioral10

behavioral11

behavioral12

bootkitransomware

behavioral13

behavioral14

bootkitransomware