General
-
Target
image_2024-08-15_173644456.png
-
Size
65KB
-
Sample
240816-aybs1svdka
-
MD5
094782933a1b323b806d38e2163c514f
-
SHA1
c8686351f07d316c55e98a4db19b494ee761cc15
-
SHA256
339cf3a00a96168c86ffabb23d2dcec68bb93f4693a0ed9fd22c30ab920395e2
-
SHA512
9e70ed9461ae64995290e3d3a06a07de533fbe01aef1b4fe391cacf6e4638248810722d14d32d366437121b5ed0baa727741c97d08a456e263735b3921b286ea
-
SSDEEP
1536:Enq5ZwSrulPtZdenS9KGw0ALVCDGp7jdo00cjUl9elOtHNof:Eq7wECJkJvFomQ8wtHy
Malware Config
Targets
-
-
Target
image_2024-08-15_173644456.png
-
Size
65KB
-
MD5
094782933a1b323b806d38e2163c514f
-
SHA1
c8686351f07d316c55e98a4db19b494ee761cc15
-
SHA256
339cf3a00a96168c86ffabb23d2dcec68bb93f4693a0ed9fd22c30ab920395e2
-
SHA512
9e70ed9461ae64995290e3d3a06a07de533fbe01aef1b4fe391cacf6e4638248810722d14d32d366437121b5ed0baa727741c97d08a456e263735b3921b286ea
-
SSDEEP
1536:Enq5ZwSrulPtZdenS9KGw0ALVCDGp7jdo00cjUl9elOtHNof:Eq7wECJkJvFomQ8wtHy
Score10/10-
CryptoLocker
Ransomware family with multiple variants.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1