d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26 | Triage

Submit
Reports

Overview

overview

Static

static

1

specialsurprise.exe

windows7-x64

specialsurprise.exe

windows10-2004-x64

7

Sharing

General

Target

specialsurprise.exe
Size

9.8MB
Sample

230328-g5kstsbb4y
MD5

b05fbd1bfd40e5632c36341d1f4cae47
SHA1

383df2dfd995236db0c5abcf84d867f2117215e7
SHA256

d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26
SHA512

a40b4c4738675cb15007aca628fbf3a3a920a37e8a20c986e58539c58a4f31e6160825446fabed862793034b7072c90d33d622de5e3b8ba1b043cc519e1467aa
SSDEEP

196608:HB5HVbnvf/tlSZSKWdPcYpdo5V30UsnzKTFQCZ+nE2bZq3WFGuUa:DVrnVlitW0MowTnzwFv+ZqGFdl

Score

10^/10

bootkit evasion persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

specialsurprise.exe

Resource

win7-20230220-en

bootkit evasion persistence ransomware trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

specialsurprise.exe

Resource

win10v2004-20230221-en

bootkit persistence ransomware

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  specialsurprise.exe
- Size
  
  9.8MB
- MD5
  
  b05fbd1bfd40e5632c36341d1f4cae47
- SHA1
  
  383df2dfd995236db0c5abcf84d867f2117215e7
- SHA256
  
  d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26
- SHA512
  
  a40b4c4738675cb15007aca628fbf3a3a920a37e8a20c986e58539c58a4f31e6160825446fabed862793034b7072c90d33d622de5e3b8ba1b043cc519e1467aa
- SSDEEP
  
  196608:HB5HVbnvf/tlSZSKWdPcYpdo5V30UsnzKTFQCZ+nE2bZq3WFGuUa:DVrnVlitW0MowTnzwFv+ZqGFdl
Score

10^/10

bootkit evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Bootkit

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Tasks

static1

behavioral1

bootkitevasionpersistenceransomwaretrojan

behavioral2

bootkitpersistenceransomware

© 2018-2024

Terms | Privacy