General
-
Target
loader_317799163.zip
-
Size
11.1MB
-
Sample
210215-9j5dw6pstn
-
MD5
f838218d65b669e0f6fb97b9bd5ae90f
-
SHA1
98b821a94074bb47e4c0d94304685df1776b233e
-
SHA256
b07da492ff578ba099dd0f36d63422d10d4b9760c8940903533d16703f28ed23
-
SHA512
0f7edbb2b318f52cdd86501198e061c8ea78efc73bc698559f0611f41969811a315a3dade937406cf09ab439ea06e2ae6d039120f6978b491969a3e78e3cdeaa
Static task
static1
Behavioral task
behavioral1
Sample
loader_317799163.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
loader_317799163.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
tesetup.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
loader_317799163.exe
-
Size
2.8MB
-
MD5
e58cb8a7ae78f7abd5e796a7731e3ce8
-
SHA1
ee2089c209a0f6ef2b1733f80b355b55c78347fd
-
SHA256
73d69d476d0e8c1656d87df24a5c92d4dffe3940ae9275fd2d09271f1f5b123f
-
SHA512
d2fc454bb1754972db07bd86a580534cceefb00a8c3d2c1b3fa25bc786e2431b817e3870cf36346105cfadbce8bb811266058041e0990aac25d6cd4e45d2d671
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
tesetup.exe
-
Size
8.5MB
-
MD5
e2117b1bcb242413dac0c2ab781185cf
-
SHA1
87b125bd59fc9ff51e2b34ce7af0fcb63e4a906b
-
SHA256
17f049fecfce6461a398d914d6c265d0e0a074fa601310698b436445135b4797
-
SHA512
abdeb1512b4b4488b6b1c9fb0bfeba3cd5dae3eb3ac25d530497fd7cde4dc1dccd3fbc953afef404234b6c79e1d128b70807a332c54684cf17168b4eaba56362
-
Registers COM server for autorun
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-