General
-
Target
master
-
Size
157KB
-
Sample
240210-ba6txshd27
-
MD5
02f3de727b413d884c230b559e4fbe19
-
SHA1
589830e09b2a00d7580be1adc9d26975fd88f6ad
-
SHA256
53a51984004618984c2817af329f318cffc49b30b5e45e41017b7c0b9c2d5c6a
-
SHA512
de2667b3da03ee9ce6914a247fd2a1deb8e5a3bb1d05abc3ae4e41291c55ac4321dd9225c50bbb37a9b3eaa199572cb8f71437d772fac8a61f0d322fbf5a24bf
-
SSDEEP
3072:AofpYYRMBy1cvxC20BOjS+rzkzZfgIsWnZEic/AzL2DuqJRBf62gVSgE29xxspm4:EDuqJHffgVSgE29xxspm0niivuz3k9Nn
Malware Config
Targets
-
-
Target
master
-
Size
157KB
-
MD5
02f3de727b413d884c230b559e4fbe19
-
SHA1
589830e09b2a00d7580be1adc9d26975fd88f6ad
-
SHA256
53a51984004618984c2817af329f318cffc49b30b5e45e41017b7c0b9c2d5c6a
-
SHA512
de2667b3da03ee9ce6914a247fd2a1deb8e5a3bb1d05abc3ae4e41291c55ac4321dd9225c50bbb37a9b3eaa199572cb8f71437d772fac8a61f0d322fbf5a24bf
-
SSDEEP
3072:AofpYYRMBy1cvxC20BOjS+rzkzZfgIsWnZEic/AzL2DuqJRBf62gVSgE29xxspm4:EDuqJHffgVSgE29xxspm0niivuz3k9Nn
Score10/10-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (549) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file execution options in registry
-
Sets service image path in registry
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Impair Defenses
3Disable or Modify Tools
2Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Indicator Removal
2File Deletion
2