dacfdf48b63d28fd4f013384825ad9706851abb90227cf0eed020d52d20602d6

Sharing

Copy URL

Twitter E-mail

General

Target

Samples.zip
Size

94.6MB
Sample

210206-d9f68dxjxx
MD5

6b1a50b50494b4f2ec0dda7b5c3d601c
SHA1

d060479eb855c85d7ca7798f7e91658ef37455b6
SHA256

dacfdf48b63d28fd4f013384825ad9706851abb90227cf0eed020d52d20602d6
SHA512

e8c1b909654be5186b788c4845c956190f962db18e6a9b7dc9af658f9d78df71e84828f6e932c4067f1d214178ecb032b9c69efe2d1f974b02e306fdf1b2f6a7

Score

10^/10

Malware Config

Targets

- Target
  
  009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78
- Size
  
  1.3MB
- MD5
  
  8d20017f576fbd58cce25637d29826ca
- SHA1
  
  cb56904366c53281e3c03f2a5dc4445dd5e82b98
- SHA256
  
  009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78
- SHA512
  
  643dc6ba2f7e77168aac3e763c9d2b3ee6af46d450fea3ff22f0b02c295e0a4e054d6089135a060833f8f0eb5987128aa31ee7534b0988c40dfcbfd48e697d4c
Score

8^/10

persistence
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  016250b7d62e49ba386404cc6db38cb65323d26cf80bc94e2810d5ab9e59fff2
- Size
  
  625KB
- MD5
  
  8349691b6c37d9e5fa75ee6365b40bf5
- SHA1
  
  4530be5b70f709d4445604148feaae73993215fe
- SHA256
  
  016250b7d62e49ba386404cc6db38cb65323d26cf80bc94e2810d5ab9e59fff2
- SHA512
  
  fe018c0efbb76bc14335fd2c18f554d6f7ee954acd5acff9d84da79fc0f92d65463ff8989b2f05a76847801c53bc8d0b6e6c70e6dfb48038cb8b0525aa29ca2c
Score

9^/10

discovery evasion persistence ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
behavioral3 behavioral4
- Target
  
  02815b72ed3449fd6004e007940ea8a8ab09bae4132739a4c7c705c2db0a1f89
- Size
  
  140KB
- MD5
  
  75c775cbfaf9bd40c504c3737e93fafd
- SHA1
  
  6bc094422cc012d99f260f9e7d1c25bcd25f84b2
- SHA256
  
  02815b72ed3449fd6004e007940ea8a8ab09bae4132739a4c7c705c2db0a1f89
- SHA512
  
  faec889de5e3519034f0bf3cde767cedda060f585671016c94d08c4245709a3110c0655c277f93e91a680ec4595a1ab744554bf36278035b99b6b81d49c88f7e
Score

10^/10

persistence ransomware
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
behavioral5 behavioral6
- Target
  
  02835ece100bb06ed759f9fa434151870e39c3ad1e429c6aace838e918b43a1a
- Size
  
  239KB
- MD5
  
  ce3eecc1cc27e753b3eeae50074c3edd
- SHA1
  
  8974741248035ea33c82234f60f95f7dc89620aa
- SHA256
  
  02835ece100bb06ed759f9fa434151870e39c3ad1e429c6aace838e918b43a1a
- SHA512
  
  0235c65316b76d9885c260e20fb8a5b655e71e3d0ffd6f84f425225ab6bdd261ae8c497e0eb819682b9d81e65e90baeb107447bde17347ce305797b0fee3730f
Score

8^/10

persistence
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
behavioral7 behavioral8
- Target
  
  02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70
- Size
  
  759KB
- MD5
  
  d4bc7b620ab9ee2ded2ac783ad77dd6d
- SHA1
  
  cf658a17824bc2f247807b7d38a0c581eb968f4e
- SHA256
  
  02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70
- SHA512
  
  2cec4072ae807a8d6803b6207e16cb63a579ab0248c9c16f8e5d578ca57138b6d451440adfacf275690160606c5bff8b1532b827a4e189ec92651c80f13e8e95
Score

8^/10

bootkit persistence
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral9 behavioral10
- Target
  
  03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5
- Size
  
  1.2MB
- MD5
  
  28af0e2520713b81659c95430220d2b9
- SHA1
  
  56dee9cc02f6165314ca2306667c43c58b62c047
- SHA256
  
  03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5
- SHA512
  
  65a540974359210623ce0e17bfa085d1533cd402d9dfd1cdd3be08678d5e1a9a944fa01c0a8cdc7081e9ff1959be2d84b58d61eb4ed250fcf1b4c068b4d5fba3
Score

8^/10

persistence upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  0444af26647e6ca5ad5d0e1c48401a17ccbd162bf60dd37e5ace9e8be63a3ac1
- Size
  
  260KB
- MD5
  
  bc3ffe2761d210fa05dde9ced4ed4869
- SHA1
  
  342db0e9441152f6ac3f4babc3a4384a9d81f2c5
- SHA256
  
  0444af26647e6ca5ad5d0e1c48401a17ccbd162bf60dd37e5ace9e8be63a3ac1
- SHA512
  
  e413e787679bb447ee21e2a07ff71c7580615d8b1a8c79221f0d530092ff8bef7508ee4be3a6f1f100b2cbfc34a0837eafaea0bbb74325c88a2039ba3b1074fb
Score

1^/10
behavioral13 behavioral14
- Target
  
  05e2912f2a593ba16a5a094d319d96715cbecf025bf88bb0293caaf6beb8bc20
- Size
  
  69KB
- MD5
  
  b9c4386e1b32283598c1630be5a12503
- SHA1
  
  69de6e807271bc79657aa4e53326f4ba5a3c848c
- SHA256
  
  05e2912f2a593ba16a5a094d319d96715cbecf025bf88bb0293caaf6beb8bc20
- SHA512
  
  f46350e053c50d0a99be3f9735e0ceba305eae1bc435a363efc8cdd3e49ac623cc2a0426eea52f3eb6f06eadf71b05a284115aa8f2022704b1255078ff336f23
Score

1^/10
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

Drops file in Drivers directory

Sets DLL path for service in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets DLL path for service in the registry

Deletes itself

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of NtCreateProcessExOtherParentProcess

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Drops file in Drivers directory

Sets service image path in registry

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16