General

  • Target

    00dfeaf9e9e405d4ef93ac3fdba22baee2fa49049639af2d0430be9b5fcd1780

  • Size

    531KB

  • Sample

    210511-kgegev5vya

  • MD5

    51b453c6be0760cee06f2168809aa3bf

  • SHA1

    dbabf47965dce2a77a96156c76d601d8cbbd5126

  • SHA256

    00dfeaf9e9e405d4ef93ac3fdba22baee2fa49049639af2d0430be9b5fcd1780

  • SHA512

    59af1fd807c563c375e3b76649593a6f6380f037c814a81044d3c38c813a24acc64d2d1292956a1335c3a7bb815453c2ea6996d313e042594bd7b8400f6809eb

Malware Config

Targets

    • Target

      00dfeaf9e9e405d4ef93ac3fdba22baee2fa49049639af2d0430be9b5fcd1780

    • Size

      531KB

    • MD5

      51b453c6be0760cee06f2168809aa3bf

    • SHA1

      dbabf47965dce2a77a96156c76d601d8cbbd5126

    • SHA256

      00dfeaf9e9e405d4ef93ac3fdba22baee2fa49049639af2d0430be9b5fcd1780

    • SHA512

      59af1fd807c563c375e3b76649593a6f6380f037c814a81044d3c38c813a24acc64d2d1292956a1335c3a7bb815453c2ea6996d313e042594bd7b8400f6809eb

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

6
T1112

Hidden Files and Directories

1
T1158

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks