7998cca7210729d57d154d5aa5045d8929759766799e8791b38a77867a375282 | Triage

Submit
Reports

Overview

overview

Static

static

6

_.msi

windows7_x64

8

_.msi

windows10_x64

8

fhoffa-n11163nkd.vbs

windows7_x64

fhoffa-n11163nkd.vbs

windows10_x64

Sharing

General

Target

fhoffa-n11163nkd.zip.zip
Size

8.2MB
Sample

210122-hwe67wsvzs
MD5

857c0c4be8e506a491a85d06cc3f52b8
SHA1

a67db996c93f78092a8552eb8ab3ba47607fb255
SHA256

7998cca7210729d57d154d5aa5045d8929759766799e8791b38a77867a375282
SHA512

ae3c7d24f0c0d392db6b1f91765f1705bc74c29c863d2698265bc35c28be4aca62590362f3cfbb3d37e4786ed177cb6b7c0709cf6c477d34e250dd425b8a83e6

Score

10^/10

persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

_.msi

Resource

win7v20201028

persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

_.msi

Resource

win10v20201028

persistence ransomware

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

fhoffa-n11163nkd.vbs

Resource

win7v20201028

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral4

Sample

fhoffa-n11163nkd.vbs

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  _
- Size
  
  11.4MB
- MD5
  
  1fa69ec9be99a31ec668e03e71f3956b
- SHA1
  
  2d35b6bf792b8a651c62c159ca90f3080d38240c
- SHA256
  
  78fcc7d75a5886b74c02f41ff4a6cc9f0d6d29ce0d4c0242d11e626363c0c7dc
- SHA512
  
  ae3af1b1db199c88531e6a4be16dce386a890176b13692a3cf6778ece49ebf04a43f5d9c8448d8680ad176bcb2615bf247d26637118fce535a8c218bf0349c2a
Score

8^/10

persistence ransomware
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- JavaScript code in executable
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
behavioral1 behavioral2
- Target
  
  fhoffa-n11163nkd.vbs
- Size
  
  17KB
- MD5
  
  8f7bc961047c054ad4f8f6e9efe117c4
- SHA1
  
  e0f66c3081be2641a1e8ea6683ff7775ace5313b
- SHA256
  
  0b5fc58aedaed72062aaf48471b814e88e6236f7c31b084ec04609836e8ac626
- SHA512
  
  62711a889488e8f7d2b1dcbbd2cc68009ae3b8bad71cbdfa546b80654c33a204c4e36398343dd432f305b1a0e64d0f1afab2529ce2c4d973b30e9245bd867de7
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

persistenceransomware

behavioral2

persistenceransomware

behavioral3

behavioral4

© 2018-2024

Terms | Privacy