General

  • Target

    2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe

  • Size

    464KB

  • Sample

    210426-e3n5cxdpxj

  • MD5

    fe7bc3cd6512f31d48a58caf3e558fee

  • SHA1

    5b2e6e541ea6f47e369291396a5d91564ece2eb8

  • SHA256

    2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7

  • SHA512

    26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b

Malware Config

Targets

    • Target

      2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe

    • Size

      464KB

    • MD5

      fe7bc3cd6512f31d48a58caf3e558fee

    • SHA1

      5b2e6e541ea6f47e369291396a5d91564ece2eb8

    • SHA256

      2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7

    • SHA512

      26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b

    • CrypVault

      Ransomware family which makes encrypted files look like they have been quarantined by AV.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks