General

  • Target

    compile by raminhk.exe

  • Size

    6.7MB

  • Sample

    210507-9ae1p7es9e

  • MD5

    4ce7c1e483beb642f43715a47b96e32b

  • SHA1

    47e02b2248dec9ff925d423374773a585742d0ae

  • SHA256

    d62702dc15f7812688bd00b483e2d3b54c44593c76ac7118ee85560a7bd3361e

  • SHA512

    122def960135c894e28c9f2d8dfb461e74e22efd76b31673b9462a90484eaae9b47d88a7c8f5519f10762960a669cb87ece43315dbf730a0e06e572f03aea3f1

Malware Config

Targets

    • Target

      compile by raminhk.exe

    • Size

      6.7MB

    • MD5

      4ce7c1e483beb642f43715a47b96e32b

    • SHA1

      47e02b2248dec9ff925d423374773a585742d0ae

    • SHA256

      d62702dc15f7812688bd00b483e2d3b54c44593c76ac7118ee85560a7bd3361e

    • SHA512

      122def960135c894e28c9f2d8dfb461e74e22efd76b31673b9462a90484eaae9b47d88a7c8f5519f10762960a669cb87ece43315dbf730a0e06e572f03aea3f1

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Disables Task Manager via registry modification

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

1
T1107

Modify Registry

3
T1112

Discovery

Process Discovery

1
T1057

Impact

Inhibit System Recovery

2
T1490

Tasks