General

  • Target

    lock5.rar

  • Size

    169KB

  • Sample

    241114-knxmvazmen

  • MD5

    33dadfc68664b4047601444e1ab413e1

  • SHA1

    f719136098052f4e3acefa99c8c55ee1199e027a

  • SHA256

    d9a3697fa898a224f3111f86a1c2d3f37cf3bfd555c5a7e8900c7dda6f1f7d9b

  • SHA512

    32e40aada322d8b19b76f865e27b3be5b4b85a6366af815ce205a83452096cf6da810217903464611108b0cdf84d63cd1dff4a93fd6af25fcd3b02a95b1cd321

  • SSDEEP

    3072:3/yVUCxL8G9MPoWYw8wpO+anIAcpQ0BbsbQeNyXH5+5:3KpRxyAtw/AgNBb2QWKu

Malware Config

Targets

    • Target

      lock5.rar

    • Size

      169KB

    • MD5

      33dadfc68664b4047601444e1ab413e1

    • SHA1

      f719136098052f4e3acefa99c8c55ee1199e027a

    • SHA256

      d9a3697fa898a224f3111f86a1c2d3f37cf3bfd555c5a7e8900c7dda6f1f7d9b

    • SHA512

      32e40aada322d8b19b76f865e27b3be5b4b85a6366af815ce205a83452096cf6da810217903464611108b0cdf84d63cd1dff4a93fd6af25fcd3b02a95b1cd321

    • SSDEEP

      3072:3/yVUCxL8G9MPoWYw8wpO+anIAcpQ0BbsbQeNyXH5+5:3KpRxyAtw/AgNBb2QWKu

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (228) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes system backups

      Uses wbadmin.exe to inhibit system recovery.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks