General

  • Target

    666.exe

  • Size

    86KB

  • Sample

    230403-xh3ccsge86

  • MD5

    a7f9d16f72ba1782aff84741fcc43a7a

  • SHA1

    20536bb7463d83143a0221e56c4faf2155e73bc7

  • SHA256

    1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa

  • SHA512

    59b08739c0eeedf8956a7dc44730d11548996ed1f6ef2dc6beac753fc1a6b844545250640d9f341a6c7a06f108cd43b6db98e9e7166729405e54ab9e5513a3cd

  • SSDEEP

    1536:2Uv4AYvNDT0aJQcc7T7yVx+a0NqlLjvCPTPRhnBu3gAjObfnapxjJeU:28ACb/6jIU

Malware Config

Targets

    • Target

      666.exe

    • Size

      86KB

    • MD5

      a7f9d16f72ba1782aff84741fcc43a7a

    • SHA1

      20536bb7463d83143a0221e56c4faf2155e73bc7

    • SHA256

      1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa

    • SHA512

      59b08739c0eeedf8956a7dc44730d11548996ed1f6ef2dc6beac753fc1a6b844545250640d9f341a6c7a06f108cd43b6db98e9e7166729405e54ab9e5513a3cd

    • SSDEEP

      1536:2Uv4AYvNDT0aJQcc7T7yVx+a0NqlLjvCPTPRhnBu3gAjObfnapxjJeU:28ACb/6jIU

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Bootkit

1
T1067

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks