General
-
Target
GorillaLocomotion.unitypackage
-
Size
11KB
-
Sample
240802-h8rafssern
-
MD5
00868c9fd9a235abd264a6dfd1989442
-
SHA1
bfc26299a36d8c914b3e2dcfe5fb9853e8489feb
-
SHA256
fd25f6525440ccb59b3d8bb0a69d673f78f761c21ba456f4149fdf3de4df2d82
-
SHA512
e77b3f4264a2a69828c3b5b929c10ae72a6f6a0cbf3f96f8f855ca0cf72207ac1bb50ef68f225d1f3514553713c41c3925b6213da3a093901c27d4ffcd2547d8
-
SSDEEP
192:CB7hd5uc/RZmkBluqzhyuGldQ5bOeWRo2R2i7ZlGp4CSXJzWwilyB6zz:oBuGRZm8BzhyXlO5dWRoBiOpYXtlSykX
Static task
static1
Behavioral task
behavioral1
Sample
ce5c2251d70caf148bbad13bb99ebf54/pathname
Resource
win11-20240730-en
Malware Config
Targets
-
-
Target
ce5c2251d70caf148bbad13bb99ebf54/pathname
-
Size
50B
-
MD5
e9aef410c36b93cce19cc1509bf8b7eb
-
SHA1
d1ac4ad8c2e5e00dc3ce8474e3a46aafc9256075
-
SHA256
4a0966095b487a6ee34363a0006c1fde655b3897008451bf827d72fdc70a818d
-
SHA512
682b75565b4c40308cd1a00ec40b2a82e2a6ac797d5bfb42f33ef25c07455f3c455bcab336d76cb38849b964abe22858ac49ff872c995e776db2ca621da76575
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1