General

  • Target

    c3d8b1ad8c4f6e246904412ed348c01a4c9f065d3637531df55e5d7282445a65N

  • Size

    84KB

  • Sample

    241103-tckctaydnk

  • MD5

    318e3aed39662e0f1d0703819e0f5be0

  • SHA1

    fc201de366040c1ae09b01967bcad430ff41e4ab

  • SHA256

    c3d8b1ad8c4f6e246904412ed348c01a4c9f065d3637531df55e5d7282445a65

  • SHA512

    5b4a50af41927660015c33c795eb4f5a9fc2c54469dc35dbe43cc6f3026b9071b7b6e8f59505c38419a5ecbf2d7ff5222faa9600ae23f04b190388a7a0a02af0

  • SSDEEP

    768:RFqqqqqqqqqqqqqqqqqQAqqqqqqqqqqqqqqqqqMcaLRdcv2n6m1aWnOhUHZk8xA0:xK

Malware Config

Targets

    • Target

      c3d8b1ad8c4f6e246904412ed348c01a4c9f065d3637531df55e5d7282445a65N

    • Size

      84KB

    • MD5

      318e3aed39662e0f1d0703819e0f5be0

    • SHA1

      fc201de366040c1ae09b01967bcad430ff41e4ab

    • SHA256

      c3d8b1ad8c4f6e246904412ed348c01a4c9f065d3637531df55e5d7282445a65

    • SHA512

      5b4a50af41927660015c33c795eb4f5a9fc2c54469dc35dbe43cc6f3026b9071b7b6e8f59505c38419a5ecbf2d7ff5222faa9600ae23f04b190388a7a0a02af0

    • SSDEEP

      768:RFqqqqqqqqqqqqqqqqqQAqqqqqqqqqqqqqqqqqMcaLRdcv2n6m1aWnOhUHZk8xA0:xK

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Hide Artifacts: Hidden Users

MITRE ATT&CK Enterprise v15

Tasks