8c295763d1f6ae3cd31cefdd354dbe2208d06f5a7bb5f947d6e044da015fdf88 | Triage

Sharing

General

Target

8c295763d1f6ae3cd31cefdd354dbe2208d06f5a7bb5f947d6e044da015fdf88
Size

175KB
Sample

221128-gqmc4sah84
MD5

a39f7f890e4aa66827afb5511ec8623b
SHA1

68bc24e244c7ad17aec4bf7d24b5d76c3c54b3b7
SHA256

8c295763d1f6ae3cd31cefdd354dbe2208d06f5a7bb5f947d6e044da015fdf88
SHA512

cba83de2666d8181e58f5362ef7883f07133ab0f586d8e99f80c6915638e0c338af36dfd3baa1bda698279d397efc21c7bbfa777d15d767239767401a5a81ce8
SSDEEP

3072:gBeNJxbKuF7LKpuwFvdNUPnd7FaBXfOX0seK2RKCMHrzIMwY3QLIZO+wC:BJUwL+uWdNid7wBvOXyMfF/J

Score

9^/10

persistence ransomware

Malware Config

Targets

- Target
  
  8c295763d1f6ae3cd31cefdd354dbe2208d06f5a7bb5f947d6e044da015fdf88
- Size
  
  175KB
- MD5
  
  a39f7f890e4aa66827afb5511ec8623b
- SHA1
  
  68bc24e244c7ad17aec4bf7d24b5d76c3c54b3b7
- SHA256
  
  8c295763d1f6ae3cd31cefdd354dbe2208d06f5a7bb5f947d6e044da015fdf88
- SHA512
  
  cba83de2666d8181e58f5362ef7883f07133ab0f586d8e99f80c6915638e0c338af36dfd3baa1bda698279d397efc21c7bbfa777d15d767239767401a5a81ce8
- SSDEEP
  
  3072:gBeNJxbKuF7LKpuwFvdNUPnd7FaBXfOX0seK2RKCMHrzIMwY3QLIZO+wC:BJUwL+uWdNid7wBvOXyMfF/J
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2