Overview

overview

10

Static

static

7

MfYecZ9i.exe

windows7-x64

9

MfYecZ9i.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MfYecZ9i.exe

  • Size

    27.9MB

  • Sample

    241010-3eqgaaxdrq

  • MD5

    34e055a67b10a1a14994b6b3457698e2

  • SHA1

    6b299dca56f55a0656b23fd035f4353dc049343a

  • SHA256

    01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

  • SHA512

    8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218

  • SSDEEP

    786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score
10/10
dharmabootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealerthemidatrojan

Malware Config

Targets

    • Target

      MfYecZ9i.exe

    • Size

      27.9MB

    • MD5

      34e055a67b10a1a14994b6b3457698e2

    • SHA1

      6b299dca56f55a0656b23fd035f4353dc049343a

    • SHA256

      01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

    • SHA512

      8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218

    • SSDEEP

      786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistencethemidatrojandharmabootkitcredential_accessimpactprivilege_escalationransomwarespywarestealer

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (509) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Time Providers

1
T1547.003

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Time Providers

1
T1547.003

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Data Destruction

1
T1485

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Service Stop

1
T1489

Tasks