c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357 | Triage

Sharing

General

Target

c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357
Size

201KB
Sample

221128-gf1sraac44
MD5

3d3ad4451fe3dbbf4b65019c45350ebe
SHA1

b9ce92343985301e9fb9c9bbba3d7882d4d8c206
SHA256

c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357
SHA512

c45a874c766ceb415106cc2d6a4f0325e62d1f5d34d4b6320a3d2ea4040c5a786fa6b83c674aa2242a7e119b8c114521009f7b8db40180f2b65baf2620780af1
SSDEEP

6144:K6RUQzD5g9q7hiQc6vxLX3vxq3w+XEUZAVIr9:KVQz1vNiQJ9X3v431EBVe

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357
- Size
  
  201KB
- MD5
  
  3d3ad4451fe3dbbf4b65019c45350ebe
- SHA1
  
  b9ce92343985301e9fb9c9bbba3d7882d4d8c206
- SHA256
  
  c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357
- SHA512
  
  c45a874c766ceb415106cc2d6a4f0325e62d1f5d34d4b6320a3d2ea4040c5a786fa6b83c674aa2242a7e119b8c114521009f7b8db40180f2b65baf2620780af1
- SSDEEP
  
  6144:K6RUQzD5g9q7hiQc6vxLX3vxq3w+XEUZAVIr9:KVQz1vNiQJ9X3v431EBVe
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2