Overview

overview

10

Static

static

f680331d4c...d8.exe

windows7-x64

10

f680331d4c...d8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8

  • Size

    442KB

  • Sample

    221128-gej4lsab47

  • MD5

    ad1860ba37160c5cd9c8edfd9a6f244e

  • SHA1

    afbcf0a29389b0dd2c404d3f510d9bad45c25766

  • SHA256

    f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8

  • SHA512

    3f7df7e68ba4a6156cd38240248321dff2d0e0349c3f088430709c85e8e60a453091e8d81ea58428b4dfdb40809a62b6193da4a64a9671831cbf234e3a3049b6

  • SSDEEP

    6144:SD5JMGANr/Uz1u2MZXAPwCjpeiOmxpoNYyaUYsq7q91TxfUwerPzVSWh:aD2Nr/EGCwCjpeiPxkwr0RUvRSE

Score
10/10
evasionpersistenceransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8

    • Size

      442KB

    • MD5

      ad1860ba37160c5cd9c8edfd9a6f244e

    • SHA1

      afbcf0a29389b0dd2c404d3f510d9bad45c25766

    • SHA256

      f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8

    • SHA512

      3f7df7e68ba4a6156cd38240248321dff2d0e0349c3f088430709c85e8e60a453091e8d81ea58428b4dfdb40809a62b6193da4a64a9671831cbf234e3a3049b6

    • SSDEEP

      6144:SD5JMGANr/Uz1u2MZXAPwCjpeiOmxpoNYyaUYsq7q91TxfUwerPzVSWh:aD2Nr/EGCwCjpeiPxkwr0RUvRSE

    Score
    10/10
    evasionpersistenceransomwarespywarestealertrojan

    • Modifies visibility of file extensions in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

4
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks