Resubmissions

21-02-2024 14:00

240221-ra9htagd7x 1

10-02-2024 00:57

240210-ba6txshd27 10

General

  • Target

    master

  • Size

    157KB

  • Sample

    240210-ba6txshd27

  • MD5

    02f3de727b413d884c230b559e4fbe19

  • SHA1

    589830e09b2a00d7580be1adc9d26975fd88f6ad

  • SHA256

    53a51984004618984c2817af329f318cffc49b30b5e45e41017b7c0b9c2d5c6a

  • SHA512

    de2667b3da03ee9ce6914a247fd2a1deb8e5a3bb1d05abc3ae4e41291c55ac4321dd9225c50bbb37a9b3eaa199572cb8f71437d772fac8a61f0d322fbf5a24bf

  • SSDEEP

    3072:AofpYYRMBy1cvxC20BOjS+rzkzZfgIsWnZEic/AzL2DuqJRBf62gVSgE29xxspm4:EDuqJHffgVSgE29xxspm0niivuz3k9Nn

Malware Config

Targets

    • Target

      master

    • Size

      157KB

    • MD5

      02f3de727b413d884c230b559e4fbe19

    • SHA1

      589830e09b2a00d7580be1adc9d26975fd88f6ad

    • SHA256

      53a51984004618984c2817af329f318cffc49b30b5e45e41017b7c0b9c2d5c6a

    • SHA512

      de2667b3da03ee9ce6914a247fd2a1deb8e5a3bb1d05abc3ae4e41291c55ac4321dd9225c50bbb37a9b3eaa199572cb8f71437d772fac8a61f0d322fbf5a24bf

    • SSDEEP

      3072:AofpYYRMBy1cvxC20BOjS+rzkzZfgIsWnZEic/AzL2DuqJRBf62gVSgE29xxspm4:EDuqJHffgVSgE29xxspm0niivuz3k9Nn

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • CryptoLocker

      Ransomware family with multiple variants.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (549) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Sets service image path in registry

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks