bb2cbfe187efe5516dcdc42472079d25b2c7be462802df209aa6386269d5afc9 | Triage

Sharing

General

Target

bb2cbfe187efe5516dcdc42472079d25b2c7be462802df209aa6386269d5afc9
Size

224KB
Sample

221125-z21zraad2t
MD5

5f3e8e6891e96477d4d9cba602e86966
SHA1

043f7cd8a45497eb4058f2a9a7ac56b396674b21
SHA256

bb2cbfe187efe5516dcdc42472079d25b2c7be462802df209aa6386269d5afc9
SHA512

5469d4d4869d9767f931ca87d9a1b936c98251b234a77d2b1f57e037276398b54b7b36fe33ca23c4c4dd18440cfc8539e016feb9a70063d163916225bf0a4891
SSDEEP

6144:2Cha39c49QSKTG9491OcrRF2zV2qV4hGm4V:2EK9ccfeG94i08zVl4w5

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  bb2cbfe187efe5516dcdc42472079d25b2c7be462802df209aa6386269d5afc9
- Size
  
  224KB
- MD5
  
  5f3e8e6891e96477d4d9cba602e86966
- SHA1
  
  043f7cd8a45497eb4058f2a9a7ac56b396674b21
- SHA256
  
  bb2cbfe187efe5516dcdc42472079d25b2c7be462802df209aa6386269d5afc9
- SHA512
  
  5469d4d4869d9767f931ca87d9a1b936c98251b234a77d2b1f57e037276398b54b7b36fe33ca23c4c4dd18440cfc8539e016feb9a70063d163916225bf0a4891
- SSDEEP
  
  6144:2Cha39c49QSKTG9491OcrRF2zV2qV4hGm4V:2EK9ccfeG94i08zVl4w5
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2