Overview

overview

8

Static

static

8

XMLFC-NI_27.msi

windows7_x64

XMLFC-NI_27.msi

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XMLFC-NI_27SCWTUM2WWTY3GCFKKQ0Q.zip

  • Size

    123KB

  • Sample

    210307-jt8dhp6lrn

  • MD5

    e16a3cb9a130a41d067588400eb0a12f

  • SHA1

    a138888d84ed0e5d1fd0441966bb98e1a6a82411

  • SHA256

    d0521fb7367c52451968c8a536aac19ea449cbcd144022831cfc63bff5bc0f8e

  • SHA512

    3f783c25594f7d11dbfa6fc5026bafe9da08a2f2b6460b759d0a1d66a531055093fe2c95055cf990df63ed3768f0ce2a7cfb44a265ce454be5f0988d98234bbf

Score
8/10
bootkitmacropersistenceransomwarexlm

Malware Config

Targets

    • Target

      XMLFC-NI_27.msi

    • Size

      267KB

    • MD5

      3ba27f796d18104606b2f58744fb017c

    • SHA1

      cc253e24ab868e61419a78fc161a5546ce878bd6

    • SHA256

      e2eaa5496cb25b7d2866507d4fc494173588897b4d589b8322fc9635bac71e02

    • SHA512

      30fa4108697a1f80a3164318d953e585dee98965477e7dcbaf45d1e2194f648c0e4398ee55d3540b09897dfdbd934abed9c48141adddb41d1765109d7806320f

    Score
    8/10
    persistencebootkitransomware

    • Blocklisted process makes network request

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks