Resubmissions

22-08-2024 14:25

240822-rrpjzavajm 9

21-11-2022 08:25

221121-kbabsabc54 9

General

  • Target

    9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe

  • Size

    7.1MB

  • Sample

    221121-kbabsabc54

  • MD5

    6c90fa5b5c9de97a444b366ec0d14255

  • SHA1

    90cd4499a264ac9e589a0a0c98e0258067aa22a7

  • SHA256

    9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897

  • SHA512

    538d64476d2f163f7ac3b1021e287c5ae4e041c24fe2065ca970b017015fb420b34cd5f18ff69a3e62c747ac9a64b5574de2189b0ab849dbadc72070e3f21717

  • SSDEEP

    98304:AB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:RcUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe

    • Size

      7.1MB

    • MD5

      6c90fa5b5c9de97a444b366ec0d14255

    • SHA1

      90cd4499a264ac9e589a0a0c98e0258067aa22a7

    • SHA256

      9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897

    • SHA512

      538d64476d2f163f7ac3b1021e287c5ae4e041c24fe2065ca970b017015fb420b34cd5f18ff69a3e62c747ac9a64b5574de2189b0ab849dbadc72070e3f21717

    • SSDEEP

      98304:AB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:RcUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks