937c85dd23722c078faa0179f163e256646aac9b47caa1c23d476d4f4100763b

General

Target

kfff_cleanup-transformed.png
Size

2.6MB
Sample

230129-zpqcgscf65
MD5

043df1141628bc8363938feada5179a0
SHA1

ec0b70cf548e81857ae3605042caec993df4b747
SHA256

937c85dd23722c078faa0179f163e256646aac9b47caa1c23d476d4f4100763b
SHA512

5c53a9aea9e497b99ae355e9e30d69509f23d49710a8537a75f886bbe146735b3b8501169d5130d3e0793dc672d33fa8bd0bd27589977c1e22b2f073bad8a340
SSDEEP

49152:wMiv/g3NzhH6JDJAhSoOhhOYimEoAgXUmPkhmiXdOK7dktcpAJEvIDBrAEIJ:wMivY3NzhKAh2EoMkkhBXdOQscp+EvIM

Score

10^/10

Malware Config

Targets

- Target
  
  kfff_cleanup-transformed.png
- Size
  
  2.6MB
- MD5
  
  043df1141628bc8363938feada5179a0
- SHA1
  
  ec0b70cf548e81857ae3605042caec993df4b747
- SHA256
  
  937c85dd23722c078faa0179f163e256646aac9b47caa1c23d476d4f4100763b
- SHA512
  
  5c53a9aea9e497b99ae355e9e30d69509f23d49710a8537a75f886bbe146735b3b8501169d5130d3e0793dc672d33fa8bd0bd27589977c1e22b2f073bad8a340
- SSDEEP
  
  49152:wMiv/g3NzhH6JDJAhSoOhhOYimEoAgXUmPkhmiXdOK7dktcpAJEvIDBrAEIJ:wMivY3NzhKAh2EoMkkhBXdOQscp+EvIM
Score

10^/10

adware bootkit discovery evasion exploit persistence ransomware spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies Windows Defender notification settings
  evasion trojan
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Modifies system executable filetype association
  persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Possible privilege escalation attempt
  exploit
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1