Overview

overview

10

Static

static

1

MinecraftI...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MinecraftInstaller.exe

  • Size

    32.0MB

  • Sample

    230401-rs8n8sbh8v

  • MD5

    7b681d2a775f0505b4fa4e6899730ec0

  • SHA1

    285e9a0f1c3a5aef9b63c1089c4e9847bb176d3e

  • SHA256

    1369e029a6b0da91db5e735b2942b1a5549dfb909ab1e98b919481a04b7cf5e6

  • SHA512

    4746fbd6b7094e07e82a9720b1243cb43663408a5c581a274508e8bf44fcb4e254ae24bec6951761ae488c6f64eeb938bf4d613587f93f3378174f7eea2f1016

  • SSDEEP

    393216:Tbekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9y:OZn/G4Gqk1cWe2iTVCMue3

Score
10/10
metasploitbackdoorbootkitevasionpersistenceransomwaretrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/wCtGf6gr http://goldeny4vs3nyoht.onion/wCtGf6gr 3. Enter your personal decryption code there: wCtGf6grBHER72xmyVBmsEazARPunNUBhjzBLHiT37dCkVFHVbPBXPSVHduRM2GuakpGMBy6BnBZ89B8smdnM6SybocZ6nkz
URLs

http://golden5a4eqranh7.onion/wCtGf6gr

http://goldeny4vs3nyoht.onion/wCtGf6gr

Targets

    • Target

      MinecraftInstaller.exe

    • Size

      32.0MB

    • MD5

      7b681d2a775f0505b4fa4e6899730ec0

    • SHA1

      285e9a0f1c3a5aef9b63c1089c4e9847bb176d3e

    • SHA256

      1369e029a6b0da91db5e735b2942b1a5549dfb909ab1e98b919481a04b7cf5e6

    • SHA512

      4746fbd6b7094e07e82a9720b1243cb43663408a5c581a274508e8bf44fcb4e254ae24bec6951761ae488c6f64eeb938bf4d613587f93f3378174f7eea2f1016

    • SSDEEP

      393216:Tbekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9y:OZn/G4Gqk1cWe2iTVCMue3

    Score
    10/10
    metasploitbackdoorbootkitevasionpersistenceransomwaretrojanupx

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks