a9fbc8d8cace2c2d0fd253f7e70b012457ae9665bf8c19ed7604b00a0b819388 | Triage

Sharing

General

Target

a9fbc8d8cace2c2d0fd253f7e70b012457ae9665bf8c19ed7604b00a0b819388
Size

140KB
Sample

221128-gkfndaae53
MD5

ec8f375201e7fc6d1442c6ce573d0727
SHA1

9943ea8973b7535085b1792414db5cdf6721d398
SHA256

a9fbc8d8cace2c2d0fd253f7e70b012457ae9665bf8c19ed7604b00a0b819388
SHA512

edb3f9d5ee1bdd1c82e761f78156ebc88efd81146784fe9ba132ce2d8d77e34313fffc7e9f7566ed686f8e6e7be3b09bfd53c55325c529b03c7e76fb00d6c4f7
SSDEEP

3072:KoKY3eLtmelOckbmWl0O+UdNm/Q5v1p5E71i8PKc:KoK4cmKOckbmWyZUTvp5cV

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  a9fbc8d8cace2c2d0fd253f7e70b012457ae9665bf8c19ed7604b00a0b819388
- Size
  
  140KB
- MD5
  
  ec8f375201e7fc6d1442c6ce573d0727
- SHA1
  
  9943ea8973b7535085b1792414db5cdf6721d398
- SHA256
  
  a9fbc8d8cace2c2d0fd253f7e70b012457ae9665bf8c19ed7604b00a0b819388
- SHA512
  
  edb3f9d5ee1bdd1c82e761f78156ebc88efd81146784fe9ba132ce2d8d77e34313fffc7e9f7566ed686f8e6e7be3b09bfd53c55325c529b03c7e76fb00d6c4f7
- SSDEEP
  
  3072:KoKY3eLtmelOckbmWl0O+UdNm/Q5v1p5E71i8PKc:KoK4cmKOckbmWyZUTvp5cV
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2