Overview

overview

9

Static

static

8

Compile by... 2.exe

windows7_x64

9

Compile by... 2.exe

windows10_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Compile by raminhk 2.exe

  • Size

    7.9MB

  • Sample

    210507-v5c45xknfs

  • MD5

    fb9eb8850ee963bc69583f0227803aef

  • SHA1

    a8c4277662b79d84ebec5f17b83153d364a478a7

  • SHA256

    373dd8d9b31679fa1f46779be91f0d8e378af030bffe91de45d150c78e2cae53

  • SHA512

    2d26b6f014ac2ca6b925ab5dfe259847869d3967754de91c8434f0a932bd2ec844403dfa2bc5b5c3442730c42500e2f0c45d321b416450012aae62128e74942c

Score
9/10
evasionpersistenceransomwarevmprotect

Malware Config

Targets

    • Target

      Compile by raminhk 2.exe

    • Size

      7.9MB

    • MD5

      fb9eb8850ee963bc69583f0227803aef

    • SHA1

      a8c4277662b79d84ebec5f17b83153d364a478a7

    • SHA256

      373dd8d9b31679fa1f46779be91f0d8e378af030bffe91de45d150c78e2cae53

    • SHA512

      2d26b6f014ac2ca6b925ab5dfe259847869d3967754de91c8434f0a932bd2ec844403dfa2bc5b5c3442730c42500e2f0c45d321b416450012aae62128e74942c

    Score
    9/10
    evasionpersistenceransomwarevmprotect

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

3
T1112

Credential Access

Discovery

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks