General

  • Target

    0908cba56879a32d2871d2eaf12b2af3.bin

  • Size

    41.3MB

  • Sample

    240317-bg8l4aag84

  • MD5

    0908cba56879a32d2871d2eaf12b2af3

  • SHA1

    27ccd746eb5da379c1df191b0d4660ef03c3f422

  • SHA256

    9c9e87c0c492673453acb1a253c8ae23ee8245531c37d6ef8ead76b6e2d1562e

  • SHA512

    c137a7d1b98063109b210b4aea9bcc6be141272fb8c41e84006e2a72f4ec218ecba4be9e56d3745679b5c3b8896ae592d2bd0205d37f3cf1d2dd717154618e0b

  • SSDEEP

    786432:rwIy/mDZ1cxBmFr5f05W2vfQCRnOgiM34V5oW3EDS7rVuzNmWiN2sA1Vrm+Aj:rw8XyB65f05fv4CRjo7pUDYumQlvAj

Malware Config

Targets

    • Target

      7ev3n.exe

    • Size

      315KB

    • MD5

      9f8bc96c96d43ecb69f883388d228754

    • SHA1

      61ed25a706afa2f6684bb4d64f69c5fb29d20953

    • SHA256

      7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

    • SHA512

      550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

    • SSDEEP

      6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

    • Target

      Annabelle.exe

    • Size

      15.9MB

    • MD5

      0f743287c9911b4b1c726c7c7edcaf7d

    • SHA1

      9760579e73095455fcbaddfe1e7e98a2bb28bfe0

    • SHA256

      716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

    • SHA512

      2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

    • SSDEEP

      393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Birele.exe

    • Size

      116KB

    • MD5

      41789c704a0eecfdd0048b4b4193e752

    • SHA1

      fb1e8385691fa3293b7cbfb9b2656cf09f20e722

    • SHA256

      b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

    • SHA512

      76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

    • SSDEEP

      3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33

    Score
    10/10
    • Modifies WinLogon for persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks