Resubmissions
01-05-2024 18:26
240501-w3bjpsfe33 10General
-
Target
sample
-
Size
20KB
-
Sample
240501-w3bjpsfe33
-
MD5
efd8184505de45f5d4e7e82f7c887ec6
-
SHA1
3329f0c3c6d6eec149808c03a13a0b4bf63cb6e7
-
SHA256
7883074b12c8699252c28d65cedd257056fabe1f4e29d4e0dc2e725d68a70880
-
SHA512
b834b4596e86648a8ecfd93e9c996231972d13b623c18c86d82654a1764b56cda72aaf8a2eda2b98e7d9cbf316f7ae059e0c7a85ac75e13edd07491fdf7afc78
-
SSDEEP
384:rGUtcinm6MDpmReVoOs4mi9ylKeGMuUoUHhhb+iq7QS2LjMrSG+TIJCgMmVn:rGQcinhMBVoOs4mmyI1MQUBhbxM0MrS4
Malware Config
Targets
-
-
Target
sample
-
Size
20KB
-
MD5
efd8184505de45f5d4e7e82f7c887ec6
-
SHA1
3329f0c3c6d6eec149808c03a13a0b4bf63cb6e7
-
SHA256
7883074b12c8699252c28d65cedd257056fabe1f4e29d4e0dc2e725d68a70880
-
SHA512
b834b4596e86648a8ecfd93e9c996231972d13b623c18c86d82654a1764b56cda72aaf8a2eda2b98e7d9cbf316f7ae059e0c7a85ac75e13edd07491fdf7afc78
-
SSDEEP
384:rGUtcinm6MDpmReVoOs4mi9ylKeGMuUoUHhhb+iq7QS2LjMrSG+TIJCgMmVn:rGQcinhMBVoOs4mmyI1MQUBhbxM0MrS4
Score10/10-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
mimikatz is an open source tool to dump credentials on Windows
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Modifies Windows Firewall
-
Sets file execution options in registry
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
8