General

  • Target

    Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

  • Size

    149KB

  • Sample

    220929-pt342abhbp

  • MD5

    e8583ee36603531bcf5001346c7474a7

  • SHA1

    4a740bc0de76cf7597d001f5cb659b220de6dccd

  • SHA256

    792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738

  • SHA512

    fb813d434cea07aea28bf52834a125a8bd46ae7f34034a96793785c1d8cda3adc3c811af98dc6a1337a1bc6b73397d177c29d1c9ff282f29415b616b236c7e13

Malware Config

Targets

    • Target

      Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

    • Size

      149KB

    • MD5

      e8583ee36603531bcf5001346c7474a7

    • SHA1

      4a740bc0de76cf7597d001f5cb659b220de6dccd

    • SHA256

      792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738

    • SHA512

      fb813d434cea07aea28bf52834a125a8bd46ae7f34034a96793785c1d8cda3adc3c811af98dc6a1337a1bc6b73397d177c29d1c9ff282f29415b616b236c7e13

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Modifies WinLogon for persistence

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger