27d7981b2b13063c38356e366dc6943d3a4b4914d5d896138466c6434b7a9c01 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

27d7981b2b13063c38356e366dc6943d3a4b4914d5d896138466c6434b7a9c01
Size

484KB
Sample

220616-dnezgacba3
MD5

1dea6b49f6ae15bdd27344bb171a644a
SHA1

0a1f19c9b70ec01f5779a1ba0b892dddbb6372ce
SHA256

27d7981b2b13063c38356e366dc6943d3a4b4914d5d896138466c6434b7a9c01
SHA512

a23c71fb493051ff83054263abade51904c8c27ec3b06af8ee98f111f8b751f935bd1ef9cabd476398ae66ae1c57891846dae425818a14aeaafcfe96f2df2867

Score

9^/10

evasion persistence ransomware

Malware Config

Targets

- Target
  
  27d7981b2b13063c38356e366dc6943d3a4b4914d5d896138466c6434b7a9c01
- Size
  
  484KB
- MD5
  
  1dea6b49f6ae15bdd27344bb171a644a
- SHA1
  
  0a1f19c9b70ec01f5779a1ba0b892dddbb6372ce
- SHA256
  
  27d7981b2b13063c38356e366dc6943d3a4b4914d5d896138466c6434b7a9c01
- SHA512
  
  a23c71fb493051ff83054263abade51904c8c27ec3b06af8ee98f111f8b751f935bd1ef9cabd476398ae66ae1c57891846dae425818a14aeaafcfe96f2df2867
Score

9^/10

evasion persistence ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasionpersistenceransomware

behavioral2

evasionpersistenceransomware