2acc18f550ed76c02b6b52480c8063f101150671a777a75f4ed1ce8fdf501809 | Triage

Sharing

General

Target

2acc18f550ed76c02b6b52480c8063f101150671a777a75f4ed1ce8fdf501809
Size

330KB
Sample

221128-g65jmagc7x
MD5

2104c98cf906bb7d3a88b7e471e8e316
SHA1

8964bf3b65661396d4bc31fbd508cf76bfc1dc80
SHA256

2acc18f550ed76c02b6b52480c8063f101150671a777a75f4ed1ce8fdf501809
SHA512

23af0853686e5fe6c743353de55a42c6f30eb4188fd74dacd3f0027367f823a7aa873cebf3fccd7a0da923c91839e80dc656368af8438de11c4321bb87cd3ff2
SSDEEP

6144:C2v9gbj+mBpqyNSbrHjOFYi7eotrPRCqcAO8ty2jU94Yj:lv9Yj+mXNSbrDZi9ZCdSop94Yj

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  2acc18f550ed76c02b6b52480c8063f101150671a777a75f4ed1ce8fdf501809
- Size
  
  330KB
- MD5
  
  2104c98cf906bb7d3a88b7e471e8e316
- SHA1
  
  8964bf3b65661396d4bc31fbd508cf76bfc1dc80
- SHA256
  
  2acc18f550ed76c02b6b52480c8063f101150671a777a75f4ed1ce8fdf501809
- SHA512
  
  23af0853686e5fe6c743353de55a42c6f30eb4188fd74dacd3f0027367f823a7aa873cebf3fccd7a0da923c91839e80dc656368af8438de11c4321bb87cd3ff2
- SSDEEP
  
  6144:C2v9gbj+mBpqyNSbrHjOFYi7eotrPRCqcAO8ty2jU94Yj:lv9Yj+mXNSbrDZi9ZCdSop94Yj
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2