thanos | 2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21

Resubmissions

04-11-2021 15:34

211104-sz21psghe5 10

29-10-2021 15:29

211029-swzq6saccp 10

29-10-2021 07:07

211029-hxtanshefl 8

Sharing

Copy URL

Twitter E-mail

General

Target

Worker-1.exe
Size

385KB
Sample

211104-sz21psghe5
MD5

7677a593678d9c4552578fab18a27384
SHA1

5c3b0d278df728c67122ac3ab7184c3f9ebfaa4f
SHA256

2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21
SHA512

8bbce3eefabf7e7d900ba3fa0a42ca3be265425c8b5675e27839a1397d1653ae54e3abbd8a6b0b8ff7ab44d130afb1a81d04d57af42dc45e7227d676a335e082

Score

10^/10

Malware Config

Targets

- Target
  
  Worker-1.exe
- Size
  
  385KB
- MD5
  
  7677a593678d9c4552578fab18a27384
- SHA1
  
  5c3b0d278df728c67122ac3ab7184c3f9ebfaa4f
- SHA256
  
  2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21
- SHA512
  
  8bbce3eefabf7e7d900ba3fa0a42ca3be265425c8b5675e27839a1397d1653ae54e3abbd8a6b0b8ff7ab44d130afb1a81d04d57af42dc45e7227d676a335e082
Score

8^/10

evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Downloads PsExec from SysInternals website
  Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Disables Task Manager via registry modification

Downloads MZ/PE file

Downloads PsExec from SysInternals website

Modifies Windows Firewall

Modifies extensions of user files

Enumerates connected drives

Looks up external IP address via web service

Modifies WinLogon

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2