Overview

overview

10

Static

static

7

df35c3aa41...fa.exe

windows7_x64

10

df35c3aa41...fa.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

  • Size

    2.3MB

  • Sample

    220503-zhra7sehap

  • MD5

    93d20353d7135a1086eac5855edafabf

  • SHA1

    7dc81975c33c142aba3f1351c7bc066181a2a8c6

  • SHA256

    df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

  • SHA512

    f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Score
10/10
wastedlockerdiscoveryevasionexploitransomwarethemidatrojan

Malware Config

Targets

    • Target

      df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

    • Size

      2.3MB

    • MD5

      93d20353d7135a1086eac5855edafabf

    • SHA1

      7dc81975c33c142aba3f1351c7bc066181a2a8c6

    • SHA256

      df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

    • SHA512

      f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

    Score
    10/10
    wastedlockerdiscoveryevasionexploitransomwarethemidatrojan

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

      ransomwarewastedlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Possible privilege escalation attempt

      exploit

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks