Overview

overview

10

Static

static

1

WIN_202309...ro.jpg

windows10-2004-x64

Resubmissions

09-10-2023 23:32

231009-3jce8abb24 10

09-10-2023 23:25

231009-3ef8lsha7x 8

09-10-2023 23:21

231009-3cfjasba86 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WIN_20230904_22_44_24_Pro.jpg

  • Size

    240KB

  • Sample

    231009-3cfjasba86

  • MD5

    2a34ccca435ec5f7fe7d3aa0994c43bb

  • SHA1

    957a8d917e9f795089dbc8ec95906530ba4b6ba1

  • SHA256

    a5a99b75b4cfbf2ee2fa04e09d3b4714e4710d5edde4d4807b9a15449ee3199b

  • SHA512

    7997510647b4d1999733f5af7b314f60f3dea09f970898e251754e72c8bbc18ecf5780ab1fecd4b19442d136f9a0943a95024385d60d42b1585ec46a6137545a

  • SSDEEP

    6144:cgwkJICGdV/WpuY9e5GtcYeAHsb//C7FciH:cgnJICGdV/Oe5Ge1sciH

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      WIN_20230904_22_44_24_Pro.jpg

    • Size

      240KB

    • MD5

      2a34ccca435ec5f7fe7d3aa0994c43bb

    • SHA1

      957a8d917e9f795089dbc8ec95906530ba4b6ba1

    • SHA256

      a5a99b75b4cfbf2ee2fa04e09d3b4714e4710d5edde4d4807b9a15449ee3199b

    • SHA512

      7997510647b4d1999733f5af7b314f60f3dea09f970898e251754e72c8bbc18ecf5780ab1fecd4b19442d136f9a0943a95024385d60d42b1585ec46a6137545a

    • SSDEEP

      6144:cgwkJICGdV/WpuY9e5GtcYeAHsb//C7FciH:cgnJICGdV/Oe5Ge1sciH

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Tasks