cfa8e745a7570804047bc0b20accc699960fb77dfa659e9031355088ffb00c33 | Triage

Resubmissions

19/02/2024, 21:13

240219-z2w1ssdh29 9

19/02/2024, 21:12

240219-z2bpvsdg95 9

19/02/2024, 21:11

240219-z1vfksdc6y 9

19/02/2024, 21:09

240219-zzp5gadc4y 9

19/02/2024, 21:05

240219-zxln9sdg37 9

19/02/2024, 21:03

240219-zv5dladf97 10

Sharing

Copy URL Twitter E-mail

General

Target

Vaper4.exe
Size

10.6MB
Sample

240219-zv5dladf97
MD5

50faefd96a3884a0bd06b4c67d53629f
SHA1

c4445a81135f380d2316b4eee2350b537cbcc364
SHA256

cfa8e745a7570804047bc0b20accc699960fb77dfa659e9031355088ffb00c33
SHA512

0ac25c158ccd0914d0fe115c032eb514e0a789debbb0b6691514df43cfb8d3485b4171cef4ed0710627ae5683c704684d3011981eeff5ebb2625140c00b62b5f
SSDEEP

196608:6RQz0r8ovtaMDiekfc92f6NvRXACKit/YJPw71p/8:6s0r8o1aMWPfbiSwj/8

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Targets

- Target
  
  Vaper4.exe
- Size
  
  10.6MB
- MD5
  
  50faefd96a3884a0bd06b4c67d53629f
- SHA1
  
  c4445a81135f380d2316b4eee2350b537cbcc364
- SHA256
  
  cfa8e745a7570804047bc0b20accc699960fb77dfa659e9031355088ffb00c33
- SHA512
  
  0ac25c158ccd0914d0fe115c032eb514e0a789debbb0b6691514df43cfb8d3485b4171cef4ed0710627ae5683c704684d3011981eeff5ebb2625140c00b62b5f
- SSDEEP
  
  196608:6RQz0r8ovtaMDiekfc92f6NvRXACKit/YJPw71p/8:6s0r8o1aMWPfbiSwj/8
Score

10^/10

evasion trojan persistence ransomware
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Disables RegEdit via registry modification
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

behavioral2

evasionpersistenceransomwaretrojan