39227e6aecf35b9c34a44ca58e9896727c0fac8235cbf38ec49a3ccb701b8af1 | Triage

Submit
Reports

Overview

overview

9

Static

static

1

balu.msi

windows7-x64

8

balu.msi

windows10-2004-x64

9

Sharing

General

Target

balu.msi
Size

8.4MB
Sample

230221-19am7saf71
MD5

a8cd74892388fd177dcc73a4ffcc7597
SHA1

1af61835c4e5dc78c93dad7b1352ff45350f1ae2
SHA256

39227e6aecf35b9c34a44ca58e9896727c0fac8235cbf38ec49a3ccb701b8af1
SHA512

71b40a4cf79b45c05ae89d1796ccf5e58661068a0507b4cbfe3c94490e4e12e5245b909c2309e05c053b654b13498d88bb28a7f0b051c726f8c3f2aa80914773
SSDEEP

98304:cpTzVeiYMRg1+bdf1SUlRfD/m+IN/xcEfWPRhjMoskveTiTODI3aYJSBQOXlwv08:2Reeg12ddXnv8xPWPRXXROsKsSxXb8

Score

9^/10

discovery evasion exploit ransomware themida

Static task

static1

Behavioral task

behavioral1

Sample

balu.msi

Resource

win7-20230220-en

discovery evasion exploit themida

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

balu.msi

Resource

win10v2004-20230220-en

discovery exploit ransomware themida

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  balu.msi
- Size
  
  8.4MB
- MD5
  
  a8cd74892388fd177dcc73a4ffcc7597
- SHA1
  
  1af61835c4e5dc78c93dad7b1352ff45350f1ae2
- SHA256
  
  39227e6aecf35b9c34a44ca58e9896727c0fac8235cbf38ec49a3ccb701b8af1
- SHA512
  
  71b40a4cf79b45c05ae89d1796ccf5e58661068a0507b4cbfe3c94490e4e12e5245b909c2309e05c053b654b13498d88bb28a7f0b051c726f8c3f2aa80914773
- SSDEEP
  
  98304:cpTzVeiYMRg1+bdf1SUlRfD/m+IN/xcEfWPRhjMoskveTiTODI3aYJSBQOXlwv08:2Reeg12ddXnv8xPWPRXXROsKsSxXb8
Score

9^/10

discovery evasion exploit themida ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Possible privilege escalation attempt
  exploit
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Deletion

Hidden Files and Directories

File Permissions Modification

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

discoveryevasionexploitthemida

behavioral2

discoveryexploitransomwarethemida

© 2018-2024

Terms | Privacy