Resubmissions

30-04-2024 10:29

240430-mjb7fshh74 10

26-04-2024 02:29

240426-cytpyahd23 10

26-04-2024 02:23

240426-cvm3zshc82 10

25-04-2024 03:51

240425-eekn2aeg39 10

General

  • Target

    Document.zip

  • Size

    102KB

  • Sample

    240426-cvm3zshc82

  • MD5

    b93f78a3953216d9d7b2641052ee2fbd

  • SHA1

    d1669609fb605781218a19dd76630cd8eb3ee3f1

  • SHA256

    0c52f70b4c340274208310ef1c9c09eee3124fb58063aee0c010a9645e417650

  • SHA512

    c8327a691e6dd32fc7c508e2f417fb5247bb556cd9132b5fd97da2335a8021b2077b8a24a74d618b308c9f141e6970faf968b9d320b38e7477621661b7abc5b8

  • SSDEEP

    3072:Oe2faB+tjQs7HwYeFsbsTlwaZqid911YO4ESlbK:Oe2fgcwsGlh4inrYO4K

Malware Config

Targets

    • Target

      Document.doc.scr

    • Size

      194KB

    • MD5

      50e5dec57451005668704281688ca55d

    • SHA1

      67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200

    • SHA256

      062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1

    • SHA512

      29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad

    • SSDEEP

      3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B

    • Renames multiple (344) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks