01c1d9ce41b4944e19890e9f04d743f16faf443631cb74b2f77cb5d3bec17e60 | Triage

Sharing

General

Target

01c1d9ce41b4944e19890e9f04d743f16faf443631cb74b2f77cb5d3bec17e60
Size

223KB
Sample

221126-2kre4aea2v
MD5

077e9d48158be1e6b3fc92d1b590bf02
SHA1

b5bdc018f682597fedab40996a475a343a499581
SHA256

01c1d9ce41b4944e19890e9f04d743f16faf443631cb74b2f77cb5d3bec17e60
SHA512

b35d42bcb19eafa59e52b008ad140be84efaf1c6444bef8f3bcc071aeb8baf9c6273a06af34f0cf311cfcc9b4ad1203c304bae8bcdb26efaaa2db7467de8a33e
SSDEEP

3072:f+v8l8oYcn2sxITyr29Lpg/DCGWN0b/DCLp71uNXvqE30zDmi:fjlh12sCTy64/gNy/D23uNfn0z7

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  01c1d9ce41b4944e19890e9f04d743f16faf443631cb74b2f77cb5d3bec17e60
- Size
  
  223KB
- MD5
  
  077e9d48158be1e6b3fc92d1b590bf02
- SHA1
  
  b5bdc018f682597fedab40996a475a343a499581
- SHA256
  
  01c1d9ce41b4944e19890e9f04d743f16faf443631cb74b2f77cb5d3bec17e60
- SHA512
  
  b35d42bcb19eafa59e52b008ad140be84efaf1c6444bef8f3bcc071aeb8baf9c6273a06af34f0cf311cfcc9b4ad1203c304bae8bcdb26efaaa2db7467de8a33e
- SSDEEP
  
  3072:f+v8l8oYcn2sxITyr29Lpg/DCGWN0b/DCLp71uNXvqE30zDmi:fjlh12sCTy64/gNy/D23uNfn0z7
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2