Resubmissions

25-03-2024 14:16

240325-rllacsad98 10

25-03-2024 14:13

240325-rjc6zaad46 10

General

  • Target

    PulseSecure.x64.msi

  • Size

    33.4MB

  • Sample

    240325-rllacsad98

  • MD5

    f964f4407a704040a3896ae03bc400b2

  • SHA1

    d02f8d469112f2a4ce22239477e56fb5baf238b3

  • SHA256

    11ab83f539594d106f32524d1fda608cd30002d49ae0e28f8a820af8ca94ffac

  • SHA512

    7b661b7df6fccfc911349f5b466bfac473a40a7c52940b261427b2a41e02b99a070a46f11260a589c590caacb0774e1b46898e61de2aa22793ed203cbc5e6f69

  • SSDEEP

    786432:8h4lrFK8ec0LrBhhRxqpxPnoMZ1za8El9JbWhH:8h4HK8e/RxqpxP1jvR

Malware Config

Targets

    • Target

      PulseSecure.x64.msi

    • Size

      33.4MB

    • MD5

      f964f4407a704040a3896ae03bc400b2

    • SHA1

      d02f8d469112f2a4ce22239477e56fb5baf238b3

    • SHA256

      11ab83f539594d106f32524d1fda608cd30002d49ae0e28f8a820af8ca94ffac

    • SHA512

      7b661b7df6fccfc911349f5b466bfac473a40a7c52940b261427b2a41e02b99a070a46f11260a589c590caacb0774e1b46898e61de2aa22793ed203cbc5e6f69

    • SSDEEP

      786432:8h4lrFK8ec0LrBhhRxqpxPnoMZ1za8El9JbWhH:8h4HK8e/RxqpxP1jvR

    • Detected Egregor ransomware

    • Egregor Ransomware

      Variant of the Sekhmet ransomware first seen in September 2020.

    • Drops file in Drivers directory

    • Modifies file permissions

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks