Overview

overview

9

Static

static

Ws-win64-3.4.3.exe

windows7_x64

9

Ws-win64-3.4.3.exe

windows10_x64

Resubmissions

11-02-2021 14:30

210211-hp1qcbqfnj 9

11-02-2021 14:27

210211-yck5qn42ra 9

11-02-2021 13:56

210211-s3z3yfdym6 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ws-win64-3.4.3.exe

  • Size

    58.6MB

  • Sample

    210211-yck5qn42ra

  • MD5

    b2edec241d2256ba54832db5d0ed88c4

  • SHA1

    506cd5ed2973b23106b067c3dd84dd82988c25a6

  • SHA256

    3bb02427d9c29d7fc04bf011f2e4ebd4f23ebe68f275f51d4ae36ee167b6cb03

  • SHA512

    b659222b9bc3bbe2b90296b45b6884e4aa13fd169c935c61cd6fa76d28d9a8ac24887f5519eed1f3bb49c406a91bdc2bc7b5ac05cbb58c8fc3325f8287897056

Score
9/10
bootkitdiscoveryevasionmacropersistenceransomwarexlm

Malware Config

Targets

    • Target

      Ws-win64-3.4.3.exe

    • Size

      58.6MB

    • MD5

      b2edec241d2256ba54832db5d0ed88c4

    • SHA1

      506cd5ed2973b23106b067c3dd84dd82988c25a6

    • SHA256

      3bb02427d9c29d7fc04bf011f2e4ebd4f23ebe68f275f51d4ae36ee167b6cb03

    • SHA512

      b659222b9bc3bbe2b90296b45b6884e4aa13fd169c935c61cd6fa76d28d9a8ac24887f5519eed1f3bb49c406a91bdc2bc7b5ac05cbb58c8fc3325f8287897056

    Score
    9/10
    discoveryevasionmacropersistencexlmbootkitransomware

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Software Discovery

1
T1518

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks