Overview

overview

10

Static

static

57187a5aae...9d.exe

windows7-x64

10

57187a5aae...9d.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d

  • Size

    298KB

  • Sample

    221128-gz8byafg9y

  • MD5

    dc604cc2ab66e0032438fc9fc5fac14a

  • SHA1

    ec8cb465b71bb2996c62b4e61d2f854aa5f2e08a

  • SHA256

    57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d

  • SHA512

    15bc431ad3d83833740d12b3fabb0e63448538621680321becd8cf7a40739386b227f02d77c2c6e4589f2ecc65c616dacd876e4bec04fe18ba0edfb1faf7ef1b

  • SSDEEP

    6144:F5cp5Xtlc5AOYKlJ8NdULIUxm6EEBtt4lA2d2WSwggC4H/uuH:F5W3l+hwUkiFEEBDlgAwlC4HfH

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d

    • Size

      298KB

    • MD5

      dc604cc2ab66e0032438fc9fc5fac14a

    • SHA1

      ec8cb465b71bb2996c62b4e61d2f854aa5f2e08a

    • SHA256

      57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d

    • SHA512

      15bc431ad3d83833740d12b3fabb0e63448538621680321becd8cf7a40739386b227f02d77c2c6e4589f2ecc65c616dacd876e4bec04fe18ba0edfb1faf7ef1b

    • SSDEEP

      6144:F5cp5Xtlc5AOYKlJ8NdULIUxm6EEBtt4lA2d2WSwggC4H/uuH:F5W3l+hwUkiFEEBDlgAwlC4HfH

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Disables taskbar notifications via registry modification

      evasion

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

4
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

File Deletion

2
T1107

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks