Overview

overview

8

Static

static

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺà...ฺฺ

windows10_x64

8

ฺฺฺB...¸ºà¸º

windows10_x64

8

ฺฺฺà...

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Archive.zip__ccacaxs2tbz2t6ob3e.bin.zip

  • Size

    181KB

  • Sample

    210217-1k86enhbh6

  • MD5

    3a596c68a1a25bde889abfc1a98f1fae

  • SHA1

    b6659c792ba48a48aba496f83580f032cf9d8ce7

  • SHA256

    49f3069fde864586558902105b3c44af8d644233887ad7a134272a721160632d

  • SHA512

    e5947276094b87422a2dad4a392ba68a329aa644210b551b25cfe90578db90688e58dab07f88469dffca6bbd77d7a59612f0e64b0577b081d5c984ae8540bb5e

Score
8/10
bootkitdiscoverypersistenceransomwarespyware

Malware Config

Targets

    • Target

      Archive.zip__ccacaxs2tbz2t6ob3e.bin

    • Size

      430KB

    • MD5

      a3cab1a43ff58b41f61f8ea32319386b

    • SHA1

      94689e1a9e1503f1082b23e6d5984d4587f3b9ec

    • SHA256

      005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

    • SHA512

      8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

    Score
    8/10
    discoverypersistencespywarebootkitransomware

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

6
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks