d4d36ea03fb4b3e1b33069073a8bf2c0f63a681ba51173f5d349e8f1356caf21 | Triage

Sharing

General

Target

d4d36ea03fb4b3e1b33069073a8bf2c0f63a681ba51173f5d349e8f1356caf21
Size

149KB
Sample

221128-ge297aec8z
MD5

1e4e9740b6dfd25244f39aa4bd5321c9
SHA1

19e7e9d26a12a3441ed44e32d7985e829a9acdbc
SHA256

d4d36ea03fb4b3e1b33069073a8bf2c0f63a681ba51173f5d349e8f1356caf21
SHA512

8f358cce4cb7e38e64f4a5c8e9f3bd120ff1c919452d15816edca7d872131db1842f132e5a7f45e56ff4e1887a694a073cc9f5708722d423f18728500123cfb0
SSDEEP

3072:vgZsYK3V6qRbShJvB12wtfkcRPIuxvvliXXDB3QnEN0BdYZp:3V6UmJ4rLG1uXV3QnEN0BG

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  d4d36ea03fb4b3e1b33069073a8bf2c0f63a681ba51173f5d349e8f1356caf21
- Size
  
  149KB
- MD5
  
  1e4e9740b6dfd25244f39aa4bd5321c9
- SHA1
  
  19e7e9d26a12a3441ed44e32d7985e829a9acdbc
- SHA256
  
  d4d36ea03fb4b3e1b33069073a8bf2c0f63a681ba51173f5d349e8f1356caf21
- SHA512
  
  8f358cce4cb7e38e64f4a5c8e9f3bd120ff1c919452d15816edca7d872131db1842f132e5a7f45e56ff4e1887a694a073cc9f5708722d423f18728500123cfb0
- SSDEEP
  
  3072:vgZsYK3V6qRbShJvB12wtfkcRPIuxvvliXXDB3QnEN0BdYZp:3V6UmJ4rLG1uXV3QnEN0BG
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2