Overview

overview

8

Static

static

8

4_23422345...84.msi

windows7_x64

4_23422345...84.msi

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4_2342234575679328584.msi

  • Size

    266KB

  • Sample

    210311-mekbk527e2

  • MD5

    7c07a45d87cc4651a1fd84ec84a26305

  • SHA1

    a2c9403bd3c9482cf666bfef2261e0625d1b5132

  • SHA256

    53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306

  • SHA512

    e60e20bdd286bde8828679a8176695119c7bb4d9e679d2ba746f272e1cf868e1a35eb2afb4e0eef15e33cf3927293110e4544d111f5c5c3dbdecea4101414684

Score
8/10
bootkitmacropersistenceransomwarexlm

Malware Config

Targets

    • Target

      4_2342234575679328584.msi

    • Size

      266KB

    • MD5

      7c07a45d87cc4651a1fd84ec84a26305

    • SHA1

      a2c9403bd3c9482cf666bfef2261e0625d1b5132

    • SHA256

      53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306

    • SHA512

      e60e20bdd286bde8828679a8176695119c7bb4d9e679d2ba746f272e1cf868e1a35eb2afb4e0eef15e33cf3927293110e4544d111f5c5c3dbdecea4101414684

    Score
    8/10
    persistencebootkitransomware

    • Blocklisted process makes network request

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks