General
-
Target
LeawoiOSDataProffesionalStup.msi
-
Size
33.2MB
-
Sample
241031-mlkllsvmbv
-
MD5
bdb5f302e34d205b26a4c915563f73d1
-
SHA1
c3b23fd809b1b31a466cd75147ccae5d6747cc74
-
SHA256
5d1e0937fefb17d3df6ffe8b5c5b9816b5467f5d853512f0af1c918fe8911a06
-
SHA512
ad22efb7028e87ad72ed42b4bb549d6fc760f8a11a3d4ee2f4f9ca8033d750e9446fb1c5d0d0e564a6478fb7f49f68bd511894a0ff4c5b23b5fdc2aa21d99685
-
SSDEEP
786432:WOlIAe16UtVShzx9bPAX6Bs0HeA0IoYvhzcZ0v2cSR85Gj:BlPe8UPSBw0He29vJuT8Mj
Static task
static1
Behavioral task
behavioral1
Sample
LeawoiOSDataProffesionalStup.msi
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
LeawoiOSDataProffesionalStup.msi
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span>
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span>
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Targets
-
-
Target
LeawoiOSDataProffesionalStup.msi
-
Size
33.2MB
-
MD5
bdb5f302e34d205b26a4c915563f73d1
-
SHA1
c3b23fd809b1b31a466cd75147ccae5d6747cc74
-
SHA256
5d1e0937fefb17d3df6ffe8b5c5b9816b5467f5d853512f0af1c918fe8911a06
-
SHA512
ad22efb7028e87ad72ed42b4bb549d6fc760f8a11a3d4ee2f4f9ca8033d750e9446fb1c5d0d0e564a6478fb7f49f68bd511894a0ff4c5b23b5fdc2aa21d99685
-
SSDEEP
786432:WOlIAe16UtVShzx9bPAX6Bs0HeA0IoYvhzcZ0v2cSR85Gj:BlPe8UPSBw0He29vJuT8Mj
-
Phobos family
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies Windows Firewall
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
2System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1