General

  • Target

    64d811c3a321959ab3fc90a53c67dcf74e5343e6f044fd9b6f8897de18e88925N

  • Size

    253KB

  • Sample

    241026-dj676ayemc

  • MD5

    9a8fb2ea8fb81fd27e0cdd7ad03546f0

  • SHA1

    5aede40b88f2674f799e267c83f468f6e36a4963

  • SHA256

    64d811c3a321959ab3fc90a53c67dcf74e5343e6f044fd9b6f8897de18e88925

  • SHA512

    1361b7221a7801c7852c6ba9536043c55f0f9d23c647f9db625201fbbb0bb64103d4ddf713a6b616300ad37fcc71e22a06e6a2aad92fca7d0c9b5a986b6a8f3a

  • SSDEEP

    3072:EvABRckr10JcUqoHkPP3OsdsWFh8Jk+TkSUfvnFzZ3EVtiee3Ewy:qgRckr1069O+sah0kbfvFC2PS

Malware Config

Targets

    • Target

      64d811c3a321959ab3fc90a53c67dcf74e5343e6f044fd9b6f8897de18e88925N

    • Size

      253KB

    • MD5

      9a8fb2ea8fb81fd27e0cdd7ad03546f0

    • SHA1

      5aede40b88f2674f799e267c83f468f6e36a4963

    • SHA256

      64d811c3a321959ab3fc90a53c67dcf74e5343e6f044fd9b6f8897de18e88925

    • SHA512

      1361b7221a7801c7852c6ba9536043c55f0f9d23c647f9db625201fbbb0bb64103d4ddf713a6b616300ad37fcc71e22a06e6a2aad92fca7d0c9b5a986b6a8f3a

    • SSDEEP

      3072:EvABRckr10JcUqoHkPP3OsdsWFh8Jk+TkSUfvnFzZ3EVtiee3Ewy:qgRckr1069O+sah0kbfvFC2PS

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (83) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks