Overview

overview

10

Static

static

3

Device/Har...sf.exe

windows7-x64

10

Device/Har...sf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SDReplicaContentFS_2023-05-17_06_39_27.zip

  • Size

    267KB

  • Sample

    230517-qzfflaec6t

  • MD5

    2b8507b365c8b95821c56b9a58e68975

  • SHA1

    1b0fecc75fd9f0c89574d57185435b04eba6dd2c

  • SHA256

    712c53daf2ba449897469fc8ece9de37dd59434d2fdfff89cd237ccc0c68b55f

  • SHA512

    d1ef12c2b8caea0ba10f8cdefff646e71e916baf649308d877827fdf499e0fa4bb837478ba4324b1d5de298c3e4b65d1ca75952ffd2905563ea6c8f514d5e188

  • SSDEEP

    6144:IEWuVb1CqCCsXsWy/uVqECTZxA/CKBfjdzPORcZfWjmQf:Ipu91CEsX7y/axyc6YLBjWCQf

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      Device/HarddiskVolume2/PerfLogs/sf.exe

    • Size

      572KB

    • MD5

      abe06e90aeb9e69647efe1431f6a1a68

    • SHA1

      42c864d9e21ef8539b28e105932a365a145ba1dc

    • SHA256

      5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5

    • SHA512

      36859bf2732ef40a917492e14aed1f3e818afe8334094d37b18eebd4a0d861ec401fe14de303ea7f8ca2d6f941f041ca7d591a048a200c7d98078cce88a08eff

    • SSDEEP

      6144:PvkQV0yspOdsQp8ecldEWuc9bPu1Y2GRxqTQXh2ikXdPLovfyT5QohoKhFlQ4on:nkQSysOJErU1cqMrkXWyT5QoOX

    Score
    10/10
    ransomwarespywarestealerpersistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (8528) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (8547) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks