General

  • Target

    a2112.exe

  • Size

    919KB

  • Sample

    210803-axpkkfeyjj

  • MD5

    4cd42e7aac7f89edf5764b699b2800d0

  • SHA1

    f309daa9650485d6ef6ceeccdc8c014d425a00fd

  • SHA256

    67ab2abe18b060275763e1d0c73d27c1e61b69097232ed9d048d41760a4533ef

  • SHA512

    0dcf0a9f4b15a355c3da11fbcd2276e9d96bd7b767c3cc2cdf17e3fc0b47483f3ef7f6953fd0ca232c3e9a8603be34b0f6c9d41eaac32ffff66755d8d2400440

Malware Config

Targets

    • Target

      a2112.exe

    • Size

      919KB

    • MD5

      4cd42e7aac7f89edf5764b699b2800d0

    • SHA1

      f309daa9650485d6ef6ceeccdc8c014d425a00fd

    • SHA256

      67ab2abe18b060275763e1d0c73d27c1e61b69097232ed9d048d41760a4533ef

    • SHA512

      0dcf0a9f4b15a355c3da11fbcd2276e9d96bd7b767c3cc2cdf17e3fc0b47483f3ef7f6953fd0ca232c3e9a8603be34b0f6c9d41eaac32ffff66755d8d2400440

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Hive

      A ransomware written in Golang first seen in June 2021.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Stops running service(s)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks