General
-
Target
a687037b01da43688a176f953776e958f40f7525d70ca4e782e14161f3c33411N
-
Size
422KB
-
Sample
241010-psb9xs1epr
-
MD5
b2005383655615ae4918b5b20539e330
-
SHA1
1eb38e33db5649a17f7c7d5831238c1e89c210b4
-
SHA256
a687037b01da43688a176f953776e958f40f7525d70ca4e782e14161f3c33411
-
SHA512
754f949a290b7d90f302b19c980554e6686fa083534ab81dfddebae162413c52d4c10f5b6b64ec92ae8b786a90c6c1995713f6397605371166f32f16d8bc5ee2
-
SSDEEP
6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbF:RhDdkybr/J2tx2VeFusZXQJhkeFhbbB
Malware Config
Targets
-
-
Target
a687037b01da43688a176f953776e958f40f7525d70ca4e782e14161f3c33411N
-
Size
422KB
-
MD5
b2005383655615ae4918b5b20539e330
-
SHA1
1eb38e33db5649a17f7c7d5831238c1e89c210b4
-
SHA256
a687037b01da43688a176f953776e958f40f7525d70ca4e782e14161f3c33411
-
SHA512
754f949a290b7d90f302b19c980554e6686fa083534ab81dfddebae162413c52d4c10f5b6b64ec92ae8b786a90c6c1995713f6397605371166f32f16d8bc5ee2
-
SSDEEP
6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbF:RhDdkybr/J2tx2VeFusZXQJhkeFhbbB
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1