2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6 | Triage

Submit
Reports

Overview

overview

Static

static

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...ฺฺ

windows10_x64

Sharing

General

Target

r.exe
Size

7.8MB
Sample

210210-q7b2t86r5x
MD5

939ba0623704350ce7c139aabee00df5
SHA1

4407dc92a0dbc8ef99035dc682a8752f793bf55b
SHA256

2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6
SHA512

76c826928eaef2a80e804ee1fb7f4a2c3d6b6370eade5c2f82671611e3253b30596655b332d19f21af714adc8015db31c3fa5dd1aa76a81b7d7840d99dc16dd1

Score

10^/10

adware persistence ransomware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

r.exe

Resource

win10v20201028

adware persistence ransomware stealer upx

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

r.exe

Resource

win10v20201028

adware persistence ransomware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  r.exe
- Size
  
  7.8MB
- MD5
  
  939ba0623704350ce7c139aabee00df5
- SHA1
  
  4407dc92a0dbc8ef99035dc682a8752f793bf55b
- SHA256
  
  2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6
- SHA512
  
  76c826928eaef2a80e804ee1fb7f4a2c3d6b6370eade5c2f82671611e3253b30596655b332d19f21af714adc8015db31c3fa5dd1aa76a81b7d7840d99dc16dd1
Score

10^/10

adware persistence ransomware stealer upx
- Registers COM server for autorun
  persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

adwarepersistenceransomwarestealerupx

behavioral2

adwarepersistenceransomwarestealer

© 2018-2024

Terms | Privacy