3b8416bdeaf5ecc4e13f93f87ab73ae1bad1eaa4bc7d143f534686375a717163 | Triage

Submit
Reports

Overview

overview

9

Static

static

Not Bot x6...ows 10

windows10_x64

Sharing

General

Target

6D90EAAA54F2CD62.bin.zip
Size

3.4MB
Sample

210302-kdmtdjfr66
MD5

71c0cbfed50d86d3d28621153e75df50
SHA1

190642e95b6bf477c53d98d56b4a439c1b6862f0
SHA256

3b8416bdeaf5ecc4e13f93f87ab73ae1bad1eaa4bc7d143f534686375a717163
SHA512

44dc94f6553179e445a00eaeff87f121670d60877c42487d032065dbc90de25ba0277f58b3fe0f9207ad2f4e5440725789092322eab5553d8b5c214d73614966

Score

9^/10

bootkit evasion macro persistence ransomware spyware trojan xlm

Static task

static1

Behavioral task

behavioral1

Sample

6D90EAAA54F2CD62.bin.exe

Resource

win10v20201028

bootkit evasion macro persistence ransomware spyware trojan xlm

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  6D90EAAA54F2CD62.bin
- Size
  
  4.1MB
- MD5
  
  123576f51da05c66ad21b3bc4658d285
- SHA1
  
  e1f3317ad84643d4d55c069cd2d5c93b9a5469f3
- SHA256
  
  6b7b6d7698016a565e4d8feecc0e387138c10206bea0719f31b21c10724b88c1
- SHA512
  
  033d7651629bacee075122080db4a4e84b926c254e437af16a346fde225d8762a875a7d27dc2e5403c5ace41f886a0371af6f8b228775d899f5d25c3ae233842
Score

9^/10

bootkit evasion macro persistence ransomware spyware trojan xlm
- Nirsoft
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitevasionmacropersistenceransomwarespywaretrojanxlm

© 2018-2024

Terms | Privacy