Overview

overview

9

Static

static

1

Dashboard ...ge.eml

windows10-2004-x64

attachment-10

windows10-2004-x64

1

attachment-16

windows10-2004-x64

1

attachment-2

windows10-2004-x64

1

attachment-3

windows10-2004-x64

1

attachment-4

windows10-2004-x64

1

attachment-5

windows10-2004-x64

1

attachment-6

windows10-2004-x64

1

attachment-7

windows10-2004-x64

1

attachment-8

windows10-2004-x64

9

attachment-9

windows10-2004-x64

1

email-html-1.html

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Dashboard _ Triage.mhtml

  • Size

    347KB

  • Sample

    240523-ss397afg28

  • MD5

    ed77d79a1e5c877ce027495943b528af

  • SHA1

    34adeb3ff3f9369e804480de07ee6a91070d9420

  • SHA256

    7fb869990ade7b8b0332d244ba8863154b4d1d60ebb6229b16073a8307b86d1f

  • SHA512

    250001f2073c5e303efe1b5e0e68888823a946f04c2f78304118430d1a1fafc24cd61ba8a0887ae907101609e59a9865b8aa8fdcf132528f74062067b48e53cf

  • SSDEEP

    6144:QoRai04pDXhhrO+ZARhtqnZGYT+mbteJBON6CdgMZWuiCm:wbQ6XMuZ

Score
9/10
discoveryevasionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      Dashboard _ Triage.mhtml

    • Size

      347KB

    • MD5

      ed77d79a1e5c877ce027495943b528af

    • SHA1

      34adeb3ff3f9369e804480de07ee6a91070d9420

    • SHA256

      7fb869990ade7b8b0332d244ba8863154b4d1d60ebb6229b16073a8307b86d1f

    • SHA512

      250001f2073c5e303efe1b5e0e68888823a946f04c2f78304118430d1a1fafc24cd61ba8a0887ae907101609e59a9865b8aa8fdcf132528f74062067b48e53cf

    • SSDEEP

      6144:QoRai04pDXhhrO+ZARhtqnZGYT+mbteJBON6CdgMZWuiCm:wbQ6XMuZ

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1

    • Target

      attachment-10

    • Size

      18KB

    • MD5

      ec3b16efe1fdc65613b9d7390b9e236d

    • SHA1

      5e0cb07744267d129a43eb909241c4ab3ea742d2

    • SHA256

      84af9930ba0c704fed0de588dfdefcd66f58213b76b2e2d2029cd0c27db76f05

    • SHA512

      3955537f5a7af20648ee279675ebdd159cf751b3fcd667d68b89896045d123f76a7db93a090b9c0fed13670a092bf397fdad423631ea2e2a31434adcad14503f

    • SSDEEP

      192:sfyrI3TW7ulixfk7bgZHXMFwyAgyYpElADT/yQ+eHmA7/wcIful7cT7bnZHXMFwQ:4yrIsfk7mKyHA7WT7NQyQA9T70QyQAJ

    Score
    1/10
    behavioral2

    • Target

      attachment-16

    • Size

      10KB

    • MD5

      c8eacba472db7bd7ad02438579beef45

    • SHA1

      3f68c2000fba3bb9c3e164ab29872899395ea705

    • SHA256

      006d8b8ca56e761eb5744784a39125ec2ab60f678385330527ee429f845da045

    • SHA512

      dddc8baf0e1ca5f0003b8be0013c08617bec67ec728523994642e7f7bc46472191ce43afbd0514e930914db57ab9d00087fd7333d1ec4e2e8c711c28d27a2799

    • SSDEEP

      192:oo32UqRpmrIUIeYrItTcc820Nd3ZqGwFuguEz+WmtpwJ2e2PM+RXmAC06jLK:1mE0ZqCguw+WmtpwJ2PRXmAC9jLK

    Score
    1/10
    behavioral3

    • Target

      attachment-2

    • Size

      224B

    • MD5

      8d2de7cf9a15fa7227cd99e8a9dc9563

    • SHA1

      bd7c7d8b0ba3095e39e2c71e0e5d4e3a7bb62170

    • SHA256

      aab277d076c7a34c38a247bee397b134e2a17ea7befbe99b9992fc923dbd0be0

    • SHA512

      f0b6be1a0460358c8c33ee8d20a037b895615f13e9ad38f211eb3bf8baa1a6e7bae78a3c9468147cf45abbf82b71a71d151981e8ae3b807142c2b41e381201c3

    Score
    1/10
    behavioral4

    • Target

      attachment-3

    • Size

      77KB

    • MD5

      b5211e39d34016a26fcb7284db271d99

    • SHA1

      7bb6388f3431c4143534065c7697949ec1c5f14c

    • SHA256

      af610dccf84ae5217cdc88e90c8ba7adb19fa5447de0ddcebe89a2df2f74a05a

    • SHA512

      d689e59c349395beacd7e7ce36b7e185819ee8e25f54fa9caee0b106b5ceacf5be5201ef2e696eaf73d7b5a54c06c252d90a274ee8749647020c653982ef68a2

    • SSDEEP

      1536:Ff5+xsTW48StgZRs9Qx564grfiZJorQhaqyVJ/:FiL2Qhm

    Score
    1/10
    behavioral5

    • Target

      attachment-4

    • Size

      303B

    • MD5

      d01ce1915edf50f5c28f38e3e67d1a0d

    • SHA1

      ed22105e03c28e3a6e458f2e10e412ed8285ac2e

    • SHA256

      7101b573628511efa02d6f6fa09d93e49d7b73a6eef29a32bcaa246e60a36522

    • SHA512

      e40199934f1ddd1d1408d4787589d883769987e53f3bb74ad7f4d2f45442f9cc5ef0acb98b9dea82464c541e22587ffc7e5f578120e1b88e0858f61e69594237

    Score
    1/10
    behavioral6

    • Target

      attachment-5

    • Size

      4KB

    • MD5

      172eea6424e59c0c64973fc295809f76

    • SHA1

      a8818e2368829fd2b443e35670f8fb460eea23bd

    • SHA256

      279c65607bb2fb7e34c2c54f15137e6c43031d14aee93dc9f972aec7f5cdc148

    • SHA512

      987fe5d4dbe50875fb78bbb34bdfc236dc7ee20bb109962d58638b1fe6731982818c7c54784561cdc66438e77f18e82fc342591b0246988465d61251068fd688

    • SSDEEP

      96:sHH92vInqJCUfyPQvEFL9dskdsdHdDdFd42621/:sH7nq/EFL6

    Score
    1/10
    behavioral7

    • Target

      attachment-6

    • Size

      124B

    • MD5

      96608500af4d6ac3dc36bce9d0853ea2

    • SHA1

      84a72e6eccf3423e19e48ef7ad0de3d76dd8d707

    • SHA256

      d1d5976797181140362f06118d5499c243baffc97285ed70d213e8eb4dfc067c

    • SHA512

      d22f498a225bea677e62b61e443eb2bd64e114b610d6a4058ad8530604b0e7f64c4710b336dbf19c2221c0cb66c7a5670cb045843b57b7b62267977c08cfdb72

    Score
    1/10
    behavioral8

    • Target

      attachment-7

    • Size

      23KB

    • MD5

      7254ebe9f779e2c55a71c87d1438f200

    • SHA1

      312158c7f6f8bc15caf2e8daff617e9f48e1d712

    • SHA256

      113d7ab962b365e1aad5353b5a453012ced1344cbf4cf04eec2030e81e2e748f

    • SHA512

      c3dc336d45a864747cf971203306569f00f525d2b8508f58e68109ff96db9255720de3cbd3b32130f482dd73cf0417ed31658b7cd870e81ad9a44def3e48420d

    • SSDEEP

      384:GXfk7gQylAK0KCT7zQyiAPT7pKyFAdT7eQyGAz:yfk3ylARTQyiAPT4yFAdT1yGAz

    Score
    1/10
    behavioral9

    • Target

      attachment-8

    • Size

      17KB

    • MD5

      e88115d10649fe20b9eb44825e874504

    • SHA1

      bd8a3e2bac2ab7e5319ab14d39eeeedfb0ec5831

    • SHA256

      c934513b446329c0d698918efb70dbf3efc40a3e28f52d12011589a1e7bd5cfc

    • SHA512

      37f47dd47b95247043c12d28f162c68f18a277d497bad8dc079201455524304b703cdddff138d223130edab4f0695ea124edae61824140788d07167b2f072bac

    • SSDEEP

      192:mT7ulIGfk7bv/ZHXMFTyAtYpElADT/yB+eH4AIfcvful7cT7bvQzHXMFYyAgyYph:m0fk71VyqAIqT72syQA+T72IymAC

    Score
    9/10
    discoverypersistenceransomware

    • Renames multiple (125) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral10

    • Target

      attachment-9

    • Size

      41KB

    • MD5

      fce0d7b4f64fd1206b4dcccf168d0395

    • SHA1

      e38519cf0801de303e72700c1d8bed3d3d0bd749

    • SHA256

      42dcf41bda72baed40cb5eb68ec932f74166af2ca4344034d3625961c9a4d0d3

    • SHA512

      8bf0a16ae1db6e403348e6ca641893e80e5e596fb20de1e8f10c4b95baf12aef02269f59fa543de73e5797321ef23befdf06ff0bc25f5a460d79a8b2ba2c876e

    • SSDEEP

      768:qTFyFPAOpTAydLABsx/yTOAQlTOyCA3TzyCAbT9ybAI+eYXIUq:qTMPAOpTzLAmxQOAcTqA3T5AbTgAI+et

    Score
    1/10
    behavioral11

    • Target

      email-html-1.txt

    • Size

      46KB

    • MD5

      f89ac397769c4e5408fa86d952d25e51

    • SHA1

      c736e87b7f55c3bb45f8a069025a6a5eebe9af47

    • SHA256

      67d8331321ea783243abc9948c8e8459d3fb4991b4203bb664adfdde9ac60bd2

    • SHA512

      761b12d1cea4e898c3724690707e2acf974409faa2fb2bc93e58264b89d2198992e870cc13ad98be11ab799544674f9fdda88ab8aa68ee7d10f34aa84e660b70

    • SSDEEP

      768:olwQ3eMNm8EAo5bMfJYb65mZZYO3UWUC0QcpsyZ9typpsyZ9DOPs:hMY8M5cJUZZd3UWUCBIU

    Score
    8/10
    discoveryevasionpersistencetrojan

    • Downloads MZ/PE file

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Defense Evasion

File and Directory Permissions Modification

2
T1222

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

13
T1012

System Information Discovery

15
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks