Overview

overview

10

Static

static

1

RNSM00311.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00311.7z

  • Size

    2.2MB

  • Sample

    241112-yscecszfmh

  • MD5

    572cd40b7a7090ce2326bedb2814a25c

  • SHA1

    b4a708bceb8e61dd7786f62de9226030149bdb05

  • SHA256

    7bf491bb387ecafe6a7e6fb0fdd3800b41f87e1562aeaa32aee681abca5c2b8b

  • SHA512

    a2b073c7dcd849ec57e837637e4193fec94839c1ec4a9c528d52ccb423a141b6d27f52df4929a603e332f46eb3bd6d4be44a4a358699552d35d5f113a61c3073

  • SSDEEP

    49152:igq6Mo3K+1CnzdeTFKipvylCXcR/SoXezXb1tkzv5xHIHupYiCo3SQB4anid:igXWGYderqsXcR/AzLvC5xHIE+oManid

Score
10/10
adwindglobeimposterwannacrydiscoverypersistenceransomwarespywarestealertrojanupxworm

Malware Config

Targets

    • Target

      RNSM00311.7z

    • Size

      2.2MB

    • MD5

      572cd40b7a7090ce2326bedb2814a25c

    • SHA1

      b4a708bceb8e61dd7786f62de9226030149bdb05

    • SHA256

      7bf491bb387ecafe6a7e6fb0fdd3800b41f87e1562aeaa32aee681abca5c2b8b

    • SHA512

      a2b073c7dcd849ec57e837637e4193fec94839c1ec4a9c528d52ccb423a141b6d27f52df4929a603e332f46eb3bd6d4be44a4a358699552d35d5f113a61c3073

    • SSDEEP

      49152:igq6Mo3K+1CnzdeTFKipvylCXcR/SoXezXb1tkzv5xHIHupYiCo3SQB4anid:igXWGYderqsXcR/AzLvC5xHIE+oManid

    Score
    10/10
    adwindglobeimposterwannacrydiscoverypersistenceransomwarespywarestealertrojanupxworm

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

      trojanadwind

    • Adwind family

      adwind

    • Class file contains resources related to AdWind

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Globeimposter family

      globeimposter

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Renames multiple (2301) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks