General

  • Target

    0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

  • Size

    457KB

  • Sample

    241112-ycwhaszcrl

  • MD5

    8b2e74dc12cdfc93634f7452a5f02d27

  • SHA1

    9ae5feb3a179722faee3652ec117c1dc49898787

  • SHA256

    0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

  • SHA512

    7160be3843880e9d78660116c0b9f4a2b18ce9d8094ae17307f526580f2f9068bd6479dc21d6361a851784990ee32df7c9ad03b5d1852beaf39db60484dcf269

  • SSDEEP

    12288:LsX/THpV3kyniMQBsD1VBJOKFyaiXWudQl:LsT3kyiM2kBQj

Malware Config

Targets

    • Target

      0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

    • Size

      457KB

    • MD5

      8b2e74dc12cdfc93634f7452a5f02d27

    • SHA1

      9ae5feb3a179722faee3652ec117c1dc49898787

    • SHA256

      0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

    • SHA512

      7160be3843880e9d78660116c0b9f4a2b18ce9d8094ae17307f526580f2f9068bd6479dc21d6361a851784990ee32df7c9ad03b5d1852beaf39db60484dcf269

    • SSDEEP

      12288:LsX/THpV3kyniMQBsD1VBJOKFyaiXWudQl:LsT3kyiM2kBQj

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (51) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks