bb5b1ea5a20e3368473fc5e777b0589bf6b52c568d17c584653b3f4698dd67a4 | Triage

Sharing

General

Target

bb5b1ea5a20e3368473fc5e777b0589bf6b52c568d17c584653b3f4698dd67a4
Size

272KB
Sample

221128-ggw6ysee2t
MD5

baf3947937254c5d2112d879bc059994
SHA1

828d6783742e3b6f7b0142b116621a53e848c061
SHA256

bb5b1ea5a20e3368473fc5e777b0589bf6b52c568d17c584653b3f4698dd67a4
SHA512

58acd6c8df3f3e4bb43995f1cb210707efe3b8d0d21e65390798e0e0ab5612632ef06d0dbafa6b19e928cd87f0dbb7d036c9617a42a56aed59a83bba098ac165
SSDEEP

6144:nAz71iSbYGYBdo0FiU2sauK9ZZLjhwXvY2vuRC+4:nAzp7bxYHo036BfhwXQ2mRCV

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  bb5b1ea5a20e3368473fc5e777b0589bf6b52c568d17c584653b3f4698dd67a4
- Size
  
  272KB
- MD5
  
  baf3947937254c5d2112d879bc059994
- SHA1
  
  828d6783742e3b6f7b0142b116621a53e848c061
- SHA256
  
  bb5b1ea5a20e3368473fc5e777b0589bf6b52c568d17c584653b3f4698dd67a4
- SHA512
  
  58acd6c8df3f3e4bb43995f1cb210707efe3b8d0d21e65390798e0e0ab5612632ef06d0dbafa6b19e928cd87f0dbb7d036c9617a42a56aed59a83bba098ac165
- SSDEEP
  
  6144:nAz71iSbYGYBdo0FiU2sauK9ZZLjhwXvY2vuRC+4:nAzp7bxYHo036BfhwXQ2mRCV
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2