db198da2b695fa7fafda7fe9372148f650a6f6f56dc5e6ac66dd6aaf8c501198 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.redlc.exe
Size

4.3MB
Sample

231117-wasbrada3z
MD5

0f6b8a9515031911e922b292bd5dcfb9
SHA1

7173cb214f917bd5bc7bc45eedceffffe7789774
SHA256

db198da2b695fa7fafda7fe9372148f650a6f6f56dc5e6ac66dd6aaf8c501198
SHA512

fa5cae81c9ab8c87674b62b23230ab692aeb1758abaa4b4d22a83f5a2735edf53679b9e96cd4115e6615a43e7eded451bc2f83bf1c97696228c5e04cd363c957
SSDEEP

98304:UVXu9nxXFQ13K5qkGXT+REN8VoJmixzJ+bC9l4:su97ukGDVmemixg

Score

10^/10

evasion persistence ransomware

Malware Config

Targets

- Target
  
  NEAS.redlc.exe
- Size
  
  4.3MB
- MD5
  
  0f6b8a9515031911e922b292bd5dcfb9
- SHA1
  
  7173cb214f917bd5bc7bc45eedceffffe7789774
- SHA256
  
  db198da2b695fa7fafda7fe9372148f650a6f6f56dc5e6ac66dd6aaf8c501198
- SHA512
  
  fa5cae81c9ab8c87674b62b23230ab692aeb1758abaa4b4d22a83f5a2735edf53679b9e96cd4115e6615a43e7eded451bc2f83bf1c97696228c5e04cd363c957
- SSDEEP
  
  98304:UVXu9nxXFQ13K5qkGXT+REN8VoJmixzJ+bC9l4:su97ukGDVmemixg
Score

10^/10

evasion persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

evasionpersistenceransomware

behavioral2

evasionpersistenceransomware