Overview

overview

8

Static

static

XER-34T.msi

windows7_x64

XER-34T.msi

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XER-34T.msi

  • Size

    1.8MB

  • Sample

    210207-tvtcawkpxs

  • MD5

    aedde70fbec3b017bced97e32323e559

  • SHA1

    4ee6cb0632af8cfe1c7b4e57918aae1a9c28682d

  • SHA256

    32d4a464dae9552b1a5aaf8b95c1f22d3f99ebd112245fa1a3719ad12fa26ed6

  • SHA512

    4f744b6758df23d81ea1190519687b926cd506191db081ad32cf01c2b6e05d7ebd207e1cf19147c5ba65894daad389d1c5a3919c1dfe32a5da6592001355f276

Score
8/10
bootkitpersistenceransomware

Malware Config

Targets

    • Target

      XER-34T.msi

    • Size

      1.8MB

    • MD5

      aedde70fbec3b017bced97e32323e559

    • SHA1

      4ee6cb0632af8cfe1c7b4e57918aae1a9c28682d

    • SHA256

      32d4a464dae9552b1a5aaf8b95c1f22d3f99ebd112245fa1a3719ad12fa26ed6

    • SHA512

      4f744b6758df23d81ea1190519687b926cd506191db081ad32cf01c2b6e05d7ebd207e1cf19147c5ba65894daad389d1c5a3919c1dfe32a5da6592001355f276

    Score
    8/10
    persistencebootkitransomware

    • Blocklisted process makes network request

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks