General

  • Target

    aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202.exe

  • Size

    444KB

  • Sample

    210512-48a791hfxn

  • MD5

    fd442753c3895d868eed72f7854e2fba

  • SHA1

    477dc12f213dd05a15b61207926b478d3a0d04c7

  • SHA256

    aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202

  • SHA512

    1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2

Malware Config

Targets

    • Target

      aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202.exe

    • Size

      444KB

    • MD5

      fd442753c3895d868eed72f7854e2fba

    • SHA1

      477dc12f213dd05a15b61207926b478d3a0d04c7

    • SHA256

      aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202

    • SHA512

      1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2

    • CrypVault

      Ransomware family which makes encrypted files look like they have been quarantined by AV.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks