Resubmissions
02-07-2024 23:48
240702-3tl3eawdpf 1002-07-2024 23:39
240702-3nl58awbkg 1002-07-2024 23:36
240702-3lzzaszekr 602-07-2024 06:39
240702-heslesvapn 1002-07-2024 06:28
240702-g8c76atgjr 1002-07-2024 06:22
240702-g4z65azepb 602-07-2024 06:05
240702-gs9leszbja 602-07-2024 06:00
240702-gqde7szaje 8General
-
Target
piggy.png
-
Size
1.3MB
-
Sample
240702-g8c76atgjr
-
MD5
db441b970d8b070324fad09acb7ca77f
-
SHA1
d71a69ffc7c67b2bc338d809b2a7933d1139638a
-
SHA256
38ce15ff72fe07a74ac9e4692fac7c0b964ca3c4f6def07d942fd94ecfd80981
-
SHA512
49b8b422831afec6f9600f9ee03b6ff237abf548ffecb607a38992ae72c6d27820e980e79217c784b13b6df70d56482b26a06f058bb00a326e1564f7fcb1b55d
-
SSDEEP
24576:bNkiU39wq+8/EV7QXZyP2wWYMmxtJMdhBgf0n1BcFvnbz:bNV09wq+gECnGfJ0Bu0n1OZP
Static task
static1
Behavioral task
behavioral1
Sample
piggy.png
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
piggy.png
Resource
win10v2004-20240611-en
Malware Config
Targets
-
-
Target
piggy.png
-
Size
1.3MB
-
MD5
db441b970d8b070324fad09acb7ca77f
-
SHA1
d71a69ffc7c67b2bc338d809b2a7933d1139638a
-
SHA256
38ce15ff72fe07a74ac9e4692fac7c0b964ca3c4f6def07d942fd94ecfd80981
-
SHA512
49b8b422831afec6f9600f9ee03b6ff237abf548ffecb607a38992ae72c6d27820e980e79217c784b13b6df70d56482b26a06f058bb00a326e1564f7fcb1b55d
-
SSDEEP
24576:bNkiU39wq+8/EV7QXZyP2wWYMmxtJMdhBgf0n1BcFvnbz:bNV09wq+gECnGfJ0Bu0n1OZP
-
Modifies WinLogon for persistence
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5