Overview

overview

10

Static

static

8258c53a44...d1.exe

windows7_x64

10

8258c53a44...d1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5370442549592064.zip

  • Size

    417KB

  • Sample

    210122-dz1leejqc2

  • MD5

    cea0d9d73e33bea434a3e50c35f28e94

  • SHA1

    f7e020545d7bfafc9ee94aeeee2d55f6f4ffc554

  • SHA256

    7e7bf63f1b2ba92baaa959119d16a928deab9cadbc7619092c3f9ba8bfc61520

  • SHA512

    05372b9ce7926f0c4fd050cc64114bb6d53a23da7ef647fd14ad304e280f85c2e35f65e394bb1757876f4b9cba0969dcde60b080b4c5823620d6429b7a4a8c4a

Score
10/10
evasionransomwarespyware

Malware Config

Targets

    • Target

      8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1

    • Size

      1.0MB

    • MD5

      3281b2d95e7123a429001400c10ebe28

    • SHA1

      b97308ea9f9c410188d43c34a867fa42c9e9128e

    • SHA256

      8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1

    • SHA512

      2d8829ba0023a0b0f2e3aaa48301f6458fec20e20c019840610f7f862a54615f46de28a5aeb470ae0df5e046d3a8da0310dc29df0b3f60f36ffe4438c469ff11

    Score
    10/10
    evasionransomwarespyware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1
T1070

File Deletion

1
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks