38f55d4fb0e4721db824f7dd44b4c9b132180087f277d6ae9d5991ec89510382 | Triage

Submit
Reports

Overview

overview

Static

static

Win105M

windows10_x64

Sharing

General

Target

Release.zip
Size

82KB
Sample

210306-7ay626fp9n
MD5

ef5b4f75a6ad697960d94987933e99da
SHA1

6d85037b14162a8f0f36bbb145847ace9c55d0ac
SHA256

38f55d4fb0e4721db824f7dd44b4c9b132180087f277d6ae9d5991ec89510382
SHA512

d89eaa4b892c008aad957346f7592040fd1e39b47464fe0c871d1536ae6ce98de0de680f49689a01ebe48e68698b8357e848c8220698be1560c2d205150d117f

Score

10^/10

bootkit ransomware

Static task

static1

Behavioral task

behavioral1

Sample

Release/TorrentParser-CLI.exe

Resource

win10v20201028

bootkit ransomware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Release/TorrentParser-CLI.exe
- Size
  
  8KB
- MD5
  
  8a2b9a6128c3c4a9701ed0504033dd58
- SHA1
  
  9d7b57c784f3f4aa7b700a115f52c086de19b74b
- SHA256
  
  6c738a8033611e29b67057b4401e5c8718998ad7caac94d4dfb0762275956652
- SHA512
  
  93e86b3edc47b93937a7158220efae4508e048d418c94472d6474c68673fed8379055251034d28aa664c88eb6fbec930da2d4721cd591d9e5958451490f62070
Score

10^/10

bootkit ransomware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitransomware

© 2018-2024

Terms | Privacy