Resubmissions

27-08-2024 11:34

240827-npnywazgjp 10

25-04-2024 15:35

240425-s1rw5aca8y 10

General

  • Target

    13916d6b1fddb42f3146b641d37f3a69b491f183146e310aa972dd469e3417bf.zip

  • Size

    102KB

  • Sample

    240827-npnywazgjp

  • MD5

    82391340acd371ab99136320ed132dbf

  • SHA1

    e88bf6c24134dc19f4df7f8443a9e31d84c93ce6

  • SHA256

    6f640c50c4995890bb6f4243695caed28b7907d244800526fac18747a6766b05

  • SHA512

    875b96f8e89b68896e212a295a1963ffd71c69a2ed520ec1b750ad76bab87e343e1a6374a6655f7f4685425ea8c9823651f22bec56b3a7e531fba0fbd03f2351

  • SSDEEP

    3072:ziydFuRNC5ShkrmPVfE90wPZhExBErerQwxjq6X9q:zi7RQSLVE90yZhExBolmjP4

Malware Config

Targets

    • Target

      Document.doc.scr

    • Size

      194KB

    • MD5

      ae811bd6440b425e6777f0ca001a9743

    • SHA1

      70902540ead269971e149eaff568fb17d04156af

    • SHA256

      86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498

    • SHA512

      3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e

    • SSDEEP

      3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm

    • Renames multiple (650) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks