Extracted

• • Target

    Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

  • Size

    148KB

  • MD5

    f7fad376e883d2bab82fbae91e5874f5

  • SHA1

    76440c8a557e7c1c032f7ccb69f6f133686e8fe4

  • SHA256

    a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6

  • SHA512

    a0d768c2daa5fcdd0ebc2cc20f1379d9b68792dd63cd8f1d64da14df8d8db4e4429e6b14fcee338e303cf67fc0bdb2b8db8f2c6bd837763bb201eaa22dd1690e

  • SSDEEP

    3072:YzS2qulKP62/xAZS6Rt3T4awbhdEyvM3ylfXTkpisd7LT8EB:CS2qaKP62mZS6RZ4aw1dd0ClfD+isd7c

  Score

  10^/10

  badrabbitmimikatztroldeshbootkitdiscoveryevasionpersistenceransomwarethemidatrojanupx

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • Modifies WinLogon for persistence

    persistence

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh

  • Checks for common network interception software

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion

  • Enumerates VirtualBox registry keys

    evasion

  • mimikatz is an open source tool to dump credentials on Windows

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Stops running service(s)

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Modifies WinLogon

    persistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral1behavioral2