Overview

overview

10

Static

static

3

PreSetup 2.exe

windows7-x64

PreSetup 2.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PreSetup 2.exe

  • Size

    226KB

  • Sample

    240420-m3lj8sfd9w

  • MD5

    13f52b5eb6d4ca2fa9b6bcb6a706f80a

  • SHA1

    c032838e55f598ef2b2de9d26d056e5a2bfcc08e

  • SHA256

    0fe3174a9efe12d1c80a1c41df2a0df4e24b34e4aabb7c8e3c8dbc323046ea0e

  • SHA512

    a6c4b1c5f108af3971924a958cb1e5d1010b1da10d3c183fbe550e551efd583152ccc7505b0580cd4f866552af8a51eeb080e1181d4bfb53f28a0a7700ef3c42

  • SSDEEP

    3072:FDFfHgTWmCRkGbKGLeNTBfNOwitsxAC+CzIlzFlg:x5aWbksiNTB1OwLxXMlBlg

Score
10/10
discoveryevasionexploitpersistenceransomware

Malware Config

Targets

    • Target

      PreSetup 2.exe

    • Size

      226KB

    • MD5

      13f52b5eb6d4ca2fa9b6bcb6a706f80a

    • SHA1

      c032838e55f598ef2b2de9d26d056e5a2bfcc08e

    • SHA256

      0fe3174a9efe12d1c80a1c41df2a0df4e24b34e4aabb7c8e3c8dbc323046ea0e

    • SHA512

      a6c4b1c5f108af3971924a958cb1e5d1010b1da10d3c183fbe550e551efd583152ccc7505b0580cd4f866552af8a51eeb080e1181d4bfb53f28a0a7700ef3c42

    • SSDEEP

      3072:FDFfHgTWmCRkGbKGLeNTBfNOwitsxAC+CzIlzFlg:x5aWbksiNTB1OwLxXMlBlg

    Score
    10/10
    discoveryevasionexploitpersistenceransomware

    • Modifies firewall policy service

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Registers new Print Monitor

      persistence

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Registers COM server for autorun

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks