Overview

overview

8

Static

static

8

XMLFC-NI_58.msi

windows7_x64

XMLFC-NI_58.msi

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XMLFC-NI_58Z1Z1T5UCKLSBW4SXSBE2.zip

  • Size

    123KB

  • Sample

    210228-f6yyyrn7s2

  • MD5

    f0058ea9b17564b4fbe604174416d465

  • SHA1

    0df24c5fed393c6f5db082c7ef69793ab8ac409b

  • SHA256

    d1a8958c685e98edaf6ee590cd9731fbde1a93e4f73269a3fe3c3e1c4f323d9c

  • SHA512

    e0a780e4b2f890e812a2d3f2151b4582daf300812b5dec0e07426bd027221787e58453e0e970a5291bb4e53edbeac5f7ec2c8ec0468fb1016a5202d0eb02d331

Score
8/10
bootkitmacropersistenceransomwarexlm

Malware Config

Targets

    • Target

      XMLFC-NI_58.msi

    • Size

      267KB

    • MD5

      84c18365351687a195a7c18a35174438

    • SHA1

      bb1b29045ec1129d5b14c96c52be0e4210de32c1

    • SHA256

      1b021df0f5252c0c54ec09eee3d47affa6a93b2b07e5002b061ced737d0db91f

    • SHA512

      8a09b41741a33af36766335d3881fc88ecfb5637de7c91e90c7de903c13c9ea4d35d7b7ad5b9eb6644803ca7c5d8146def3257bd10e35e1d2ba4186e81aebc20

    Score
    8/10
    persistencebootkitransomware

    • Blocklisted process makes network request

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks