Resubmissions
02-07-2024 23:48
240702-3tl3eawdpf 1002-07-2024 23:39
240702-3nl58awbkg 1002-07-2024 23:36
240702-3lzzaszekr 602-07-2024 06:39
240702-heslesvapn 1002-07-2024 06:28
240702-g8c76atgjr 1002-07-2024 06:22
240702-g4z65azepb 602-07-2024 06:05
240702-gs9leszbja 602-07-2024 06:00
240702-gqde7szaje 8General
-
Target
piggy.png
-
Size
1.3MB
-
Sample
240702-g8c76atgjr
-
MD5
db441b970d8b070324fad09acb7ca77f
-
SHA1
d71a69ffc7c67b2bc338d809b2a7933d1139638a
-
SHA256
38ce15ff72fe07a74ac9e4692fac7c0b964ca3c4f6def07d942fd94ecfd80981
-
SHA512
49b8b422831afec6f9600f9ee03b6ff237abf548ffecb607a38992ae72c6d27820e980e79217c784b13b6df70d56482b26a06f058bb00a326e1564f7fcb1b55d
-
SSDEEP
24576:bNkiU39wq+8/EV7QXZyP2wWYMmxtJMdhBgf0n1BcFvnbz:bNV09wq+gECnGfJ0Bu0n1OZP
Malware Config
Targets
-
-
Target
piggy.png
-
Size
1.3MB
-
MD5
db441b970d8b070324fad09acb7ca77f
-
SHA1
d71a69ffc7c67b2bc338d809b2a7933d1139638a
-
SHA256
38ce15ff72fe07a74ac9e4692fac7c0b964ca3c4f6def07d942fd94ecfd80981
-
SHA512
49b8b422831afec6f9600f9ee03b6ff237abf548ffecb607a38992ae72c6d27820e980e79217c784b13b6df70d56482b26a06f058bb00a326e1564f7fcb1b55d
-
SSDEEP
24576:bNkiU39wq+8/EV7QXZyP2wWYMmxtJMdhBgf0n1BcFvnbz:bNV09wq+gECnGfJ0Bu0n1OZP
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5