Overview

overview

10

Static

static

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺ....ฺฺ

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Psc Gen 2.9 ViP Private.bin

  • Size

    141KB

  • Sample

    210215-3y5q5fjzc6

  • MD5

    094f263b6822d0188bc6a8b615ff5072

  • SHA1

    accf72fb4a0a8ffe0949ff5671c6fb08ebf22be7

  • SHA256

    9ad63be89938c8fc3a1bd9aa99d02b524e90b6927eeb7cbcfe8a0c59e5431a01

  • SHA512

    7474ac562358176ac23640ff93c11b1bf3cb7f2b2c96b3837c150446ec2cd4f00d828fdfdab1f92ab271993ae82b1d5adaf9af7f272fa0d71598e34bd2d70b6f

Score
10/10
bootkitevasionpersistenceransomware

Malware Config

Targets

    • Target

      Psc Gen 2.9 ViP Private.bin

    • Size

      141KB

    • MD5

      094f263b6822d0188bc6a8b615ff5072

    • SHA1

      accf72fb4a0a8ffe0949ff5671c6fb08ebf22be7

    • SHA256

      9ad63be89938c8fc3a1bd9aa99d02b524e90b6927eeb7cbcfe8a0c59e5431a01

    • SHA512

      7474ac562358176ac23640ff93c11b1bf3cb7f2b2c96b3837c150446ec2cd4f00d828fdfdab1f92ab271993ae82b1d5adaf9af7f272fa0d71598e34bd2d70b6f

    Score
    10/10
    bootkitevasionpersistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Disables Task Manager via registry modification

      evasion

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2
T1004

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks