General

  • Target

    230323-gnlc2afg8y

  • Size

    148KB

  • Sample

    240322-r8clqsfb31

  • MD5

    6ed3e3327246cc457d22bb92bd3bba8b

  • SHA1

    1329a6af26f16bb371782ff404d526eec1af9d22

  • SHA256

    72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503

  • SHA512

    f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7

  • SSDEEP

    3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh

Malware Config

Targets

    • Target

      230323-gnlc2afg8y

    • Size

      148KB

    • MD5

      6ed3e3327246cc457d22bb92bd3bba8b

    • SHA1

      1329a6af26f16bb371782ff404d526eec1af9d22

    • SHA256

      72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503

    • SHA512

      f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7

    • SSDEEP

      3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Modifies WinLogon for persistence

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

    • Detects executables packed with ConfuserEx Mod

    • UPX dump on OEP (original entry point)

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks