Resubmissions

20-10-2021 11:41

211020-ntmllshaa3 8

20-10-2021 11:38

211020-nryabshhdk 8

General

  • Target

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample

  • Size

    52KB

  • Sample

    211020-ntmllshaa3

  • MD5

    28945b625617cfdcc444b428de0a7a00

  • SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

  • SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

  • SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

Malware Config

Targets

    • Target

      282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample

    • Size

      52KB

    • MD5

      28945b625617cfdcc444b428de0a7a00

    • SHA1

      9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    • SHA256

      282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    • SHA512

      eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Tasks