1d604efdc5016ceaef958b6f4f74e368ecfdb34cf814ce424a6793f9e16e14ad | Triage

Sharing

General

Target

1d604efdc5016ceaef958b6f4f74e368ecfdb34cf814ce424a6793f9e16e14ad
Size

279KB
Sample

221127-1sg1ysbf48
MD5

e91b9cf9e93f58d9d7d8516a3468093b
SHA1

5a8863adfc778f093ed8dd6681160bbec4552f23
SHA256

1d604efdc5016ceaef958b6f4f74e368ecfdb34cf814ce424a6793f9e16e14ad
SHA512

8da3ca5593d0c17ff0c59218ab1001459b4504dc437f5c6f29a76986f79eb825c6e46b38e796031ae55a7cb50173d003e5914a8ba95406dbb1ed51af782bbb2e
SSDEEP

6144:CrUqqA2mJ+PzPIk85rLoPQjWp+IoT9Z/KmngJJbDl6jzZH0C:2Uq52XPz785HoP8IY/K8sop0C

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Targets

- Target
  
  Message.Pdf_____________________________________________________________.exe
- Size
  
  459KB
- MD5
  
  31559db5ce662400dccef6f781b4218d
- SHA1
  
  66567121269f253f0282ecc04ad981dae54959d9
- SHA256
  
  b89e0e608175629cb724fa36e35147a81a0d48b3b1c15656783b47e7b9bd8845
- SHA512
  
  a5099e62537179fcda5e039cf0dace1753c5db550edb505dfdbbb1d342b5566d6cd712e48a8d9f900be947904aa4ea330d3d41cd7b9db0655837dc5ec93373a9
- SSDEEP
  
  12288:pnUNbLVGziGw9t89zIFEqJAosf6yqTRNnh:uNLVMxu7fh
Score

9^/10

evasion persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasionpersistenceransomwaretrojan

behavioral2