General

  • Target

    bg.png

  • Size

    116KB

  • Sample

    240210-abpflahb84

  • MD5

    2bb9fc2f71a0c3491ab6124fc3ad45e3

  • SHA1

    184d32600d68fd45016a4a63373e9525810b7eed

  • SHA256

    3bae2eb5d7e0fb4b31cebb540a028b84d6b95d6244403c481261095144c7c589

  • SHA512

    db5ab20fc1530a4c4d66119151d22c118cfbc3bd14a014aeea36f6c1f27d23a8a1c1cd08a56992f663530747abbaf147bbac257dff2c6fd1afc7829f47b3ec26

  • SSDEEP

    3072:KGCuxv60BZ3eZ4wgnZDTgKWzQ6/HGtZjpH5OwL0DEejRi:z1vHj3OaPrWV/HGTNH5Oy0IeFi

Malware Config

Targets

    • Target

      bg.png

    • Size

      116KB

    • MD5

      2bb9fc2f71a0c3491ab6124fc3ad45e3

    • SHA1

      184d32600d68fd45016a4a63373e9525810b7eed

    • SHA256

      3bae2eb5d7e0fb4b31cebb540a028b84d6b95d6244403c481261095144c7c589

    • SHA512

      db5ab20fc1530a4c4d66119151d22c118cfbc3bd14a014aeea36f6c1f27d23a8a1c1cd08a56992f663530747abbaf147bbac257dff2c6fd1afc7829f47b3ec26

    • SSDEEP

      3072:KGCuxv60BZ3eZ4wgnZDTgKWzQ6/HGtZjpH5OwL0DEejRi:z1vHj3OaPrWV/HGTNH5Oy0IeFi

    • Detected google phishing page

    • Renames multiple (405) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks