321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81 | Triage

Submit
Reports

Overview

overview

9

Static

static

321c9ef634...81.exe

windows7-x64

9

321c9ef634...81.exe

windows10-2004-x64

9

Sharing

General

Target

321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
Size

172KB
Sample

221128-e36w6sag3v
MD5

c517194ef951573907186b800ea321c0
SHA1

1feb029d3c69d69958b317f8763fdb65d9b2df4d
SHA256

321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
SHA512

e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
SSDEEP

3072:vwHteez3OtcHeZePIv9FTAxd8uGEnIB6P7K0Q0cNVB81VYrc0t1PbvN8KgCLn2J:/ez3OkkBVFTehI87d0WkBbv12J

Score

9^/10

persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe

Resource

win7-20221111-en

persistence ransomware

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe

Resource

win10v2004-20220901-en

persistence ransomware spyware stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
- Size
  
  172KB
- MD5
  
  c517194ef951573907186b800ea321c0
- SHA1
  
  1feb029d3c69d69958b317f8763fdb65d9b2df4d
- SHA256
  
  321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
- SHA512
  
  e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
- SSDEEP
  
  3072:vwHteez3OtcHeZePIv9FTAxd8uGEnIB6P7K0Q0cNVB81VYrc0t1PbvN8KgCLn2J:/ez3OkkBVFTehI87d0WkBbv12J
Score

9^/10

persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Defacement

Tasks

static1

behavioral1

persistenceransomware

behavioral2

persistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy