General

  • Target

    sample28.exe

  • Size

    1.6MB

  • Sample

    210224-r7nmswxxk6

  • MD5

    17b8c8318b9d86707723cd51f3d207b7

  • SHA1

    6578b0ec535385c54898ea5b72923586e5a68e11

  • SHA256

    002b59ccb82cc9a0419cec2e9b2d256498d452842405d6b1fe265b32a1a50055

  • SHA512

    042ab964dfc8e7a877b2c24f5d39f1e62698219c7545b439ba0ca4eef6b2a448eaece5c64a72eb34e1f57d4f7196ca3b340845416ca021124c72bcaf25ceccac

Malware Config

Targets

    • Target

      sample28.exe

    • Size

      1.6MB

    • MD5

      17b8c8318b9d86707723cd51f3d207b7

    • SHA1

      6578b0ec535385c54898ea5b72923586e5a68e11

    • SHA256

      002b59ccb82cc9a0419cec2e9b2d256498d452842405d6b1fe265b32a1a50055

    • SHA512

      042ab964dfc8e7a877b2c24f5d39f1e62698219c7545b439ba0ca4eef6b2a448eaece5c64a72eb34e1f57d4f7196ca3b340845416ca021124c72bcaf25ceccac

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Hidden Files and Directories

1
T1158

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks