General

  • Target

    v12044gd0000csgp2v7og65mfn3a7ing.mp4

  • Size

    536KB

  • Sample

    241112-lzpl2szflj

  • MD5

    6abac5fb007c5ef2e53bfa78ba1195ac

  • SHA1

    014cc9b4ed6eb739429abe69e78aebaf281fbd66

  • SHA256

    05c89cc05c29c831d97d2d792c336deec59bb419261209c450959a05952403d7

  • SHA512

    7c5d548401238325b2d01dac82c9bc7a7edad5c16b53b332009c981c5d907d9871900b8e3b93acbe23e723d187521cbbcee7ca94cb7b345b238dcd99c3066887

  • SSDEEP

    12288:t6XNPzGye+E88+PSA7hEliv8cw38Y8iE1HPReiDe0QB3N:taGye+E2qive81pev0Y3N

Malware Config

Targets

    • Target

      v12044gd0000csgp2v7og65mfn3a7ing.mp4

    • Size

      536KB

    • MD5

      6abac5fb007c5ef2e53bfa78ba1195ac

    • SHA1

      014cc9b4ed6eb739429abe69e78aebaf281fbd66

    • SHA256

      05c89cc05c29c831d97d2d792c336deec59bb419261209c450959a05952403d7

    • SHA512

      7c5d548401238325b2d01dac82c9bc7a7edad5c16b53b332009c981c5d907d9871900b8e3b93acbe23e723d187521cbbcee7ca94cb7b345b238dcd99c3066887

    • SSDEEP

      12288:t6XNPzGye+E88+PSA7hEliv8cw38Y8iE1HPReiDe0QB3N:taGye+E2qive81pev0Y3N

    • Renames multiple (126) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks