Resubmissions
29-10-2023 10:55
231029-m1l3zsfe3s 10General
-
Target
CreamInstaller.exe
-
Size
142.2MB
-
Sample
231029-m1l3zsfe3s
-
MD5
bd07665ce7ec2bf0b9322ac6bfef35f9
-
SHA1
bb7869551f858ac74593311d0cffc9679cf7bb0b
-
SHA256
270d4c63b45b0a88bc89dbd1e6dc8b7cb7d5c88f26496e1e9d241d810443272e
-
SHA512
c0c169a63ca409a341378a20c8e705b56ddacd216be793a7a5b1377a71917bd59030b6a36db698585bfd004d465e916f6107e3df80634b977e08198daf34e92b
-
SSDEEP
3145728:GdlIzndV8rA56Brg0Mln+4C3RLBnrB3Yo2gXD1PK1dNHDuH+h+6qy+Ewa7UMHEuf:kadVaGAril+4K9BhYo2gz1PK5D86qyVn
Static task
static1
Behavioral task
behavioral1
Sample
CreamInstaller.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
CreamInstaller.exe
-
Size
142.2MB
-
MD5
bd07665ce7ec2bf0b9322ac6bfef35f9
-
SHA1
bb7869551f858ac74593311d0cffc9679cf7bb0b
-
SHA256
270d4c63b45b0a88bc89dbd1e6dc8b7cb7d5c88f26496e1e9d241d810443272e
-
SHA512
c0c169a63ca409a341378a20c8e705b56ddacd216be793a7a5b1377a71917bd59030b6a36db698585bfd004d465e916f6107e3df80634b977e08198daf34e92b
-
SSDEEP
3145728:GdlIzndV8rA56Brg0Mln+4C3RLBnrB3Yo2gXD1PK1dNHDuH+h+6qy+Ewa7UMHEuf:kadVaGAril+4K9BhYo2gz1PK5D86qyVn
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
5