6abd97d20372a17384c5fd928ef5548da218b615247276acd7bf0a62ad3cf6e7 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1.exe
Size

275KB
Sample

240619-12gfsaybqm
MD5

b61525d88761a974e57c8257c76ec999
SHA1

231893b80d83f297ebdc760d4a1388afd98a4dd6
SHA256

6abd97d20372a17384c5fd928ef5548da218b615247276acd7bf0a62ad3cf6e7
SHA512

0ab047b99ef446056fac3f45b62c1c65fc8675c2fff938ba3c88fe600aa969b030b2d1474bece5305e40a2220fbbdaeb0584a1630fce3b53535bb9a27ee6b53c
SSDEEP

6144:ITR3vnpRfE/UVPy/oCa+LDZWC9z5KIFXWBHdZ6Nba09IdkaNiTN:I3vnpRfzPygCa+DZvXWP09IGC2

Score

10^/10

defense_evasion evasion execution impact ransomware trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.encompossoftware.com
Port:
21
Username:
remoteuser
Password:
Encomposx99

Targets

- Target
  
  1.exe
- Size
  
  275KB
- MD5
  
  b61525d88761a974e57c8257c76ec999
- SHA1
  
  231893b80d83f297ebdc760d4a1388afd98a4dd6
- SHA256
  
  6abd97d20372a17384c5fd928ef5548da218b615247276acd7bf0a62ad3cf6e7
- SHA512
  
  0ab047b99ef446056fac3f45b62c1c65fc8675c2fff938ba3c88fe600aa969b030b2d1474bece5305e40a2220fbbdaeb0584a1630fce3b53535bb9a27ee6b53c
- SSDEEP
  
  6144:ITR3vnpRfE/UVPy/oCa+LDZWC9z5KIFXWBHdZ6Nba09IdkaNiTN:I3vnpRfzPygCa+DZvXWP09IGC2
Score

10^/10

defense_evasion evasion execution impact ransomware trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Windows Management Instrumentation

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Direct Volume Access

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

defense_evasionevasionexecutionimpactransomwaretrojan

behavioral2

defense_evasionevasionexecutionimpactransomwaretrojan

behavioral3

defense_evasionevasionexecutionimpactransomwaretrojan