General

  • Target

    e4b8a4401c45b62909eb4018b6e52e4bcdc552378601955f3793063490714206

  • Size

    43.6MB

  • Sample

    220923-p2x8ragfh5

  • MD5

    b04dbe5e234be427bfa1737253e026bf

  • SHA1

    4cb8d55d708b8443cccefc10d3e9258b703c9b05

  • SHA256

    e4b8a4401c45b62909eb4018b6e52e4bcdc552378601955f3793063490714206

  • SHA512

    28d96de17f1499547b2cf2c6a38d88f3efa6ac06f3f2888f7725f821f2796f0e094cd1ec148fefa6d2a69daecc3ff0c362465282378a6e31ad2f672ede73b898

  • SSDEEP

    786432:LDX8AIgUz8sQFQ16DX8AIgUz8sQFQ16DX8AIgUz8sQFQ1I:Lw/g7FQ16w/g7FQ16w/g7FQ1I

Malware Config

Targets

    • Target

      license_8_4_5_53151.exe

    • Size

      43.6MB

    • MD5

      a9b10735bdab1df5db8e6b0478720d65

    • SHA1

      29f36bd8e4d4cac6e8ca4b6bf0a1f1fd9b616345

    • SHA256

      40116c48e728a6253a7ea5946a74f196a2639a7be368d0d2c4904b76e1e784b5

    • SHA512

      9e0aa0307d3bc83b4051a7fda3bd11948feda7e4ff492f15edca611e7bc75b720e81c9a785583dfce53595fb24c3d54207884f9cc975fcb934ade964ecf126e8

    • SSDEEP

      786432:kDX8AIgUz8sQFQ16DX8AIgUz8sQFQ16DX8AIgUz8sQFQ1j:kw/g7FQ16w/g7FQ16w/g7FQ1j

    • Modifies Windows Defender notification settings

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Windows security bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables use of System Restore points

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

    • Registers COM server for autorun

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

2
T1158

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

4
T1089

Bypass User Account Control

1
T1088

File Deletion

2
T1107

Hidden Files and Directories

2
T1158

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

3
T1490

Tasks