General
-
Target
Killer.Clown.2.6.exe
-
Size
145.7MB
-
Sample
241115-tecqraxcjj
-
MD5
44cfcde320eba114cd17c8dbc8493dca
-
SHA1
028aa1e571e44fdb690ed5dc427ee2b86948f26e
-
SHA256
d576f41874ceffd0c3e0d512a9602b8ef4c82e57d1a274d2114fc738e1749680
-
SHA512
f316587f48cf47d1e2ca2701f4a0fddbda7ce6112d7acd4b46157be8db4be8e12fc59452a5c89f47be740e9e44cd41024cc78d9bc1154f151aaa336203cb04ec
-
SSDEEP
3145728:Jb/JhGzT3Fqj4ileDOCimT+NuJVDQsXe+fQGfQ30iPwpLRQ:ZoxqffCDDeVPwpG
Static task
static1
Behavioral task
behavioral1
Sample
Killer.Clown.2.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Killer.Clown.2.6.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Killer.Clown.2.6.exe
-
Size
145.7MB
-
MD5
44cfcde320eba114cd17c8dbc8493dca
-
SHA1
028aa1e571e44fdb690ed5dc427ee2b86948f26e
-
SHA256
d576f41874ceffd0c3e0d512a9602b8ef4c82e57d1a274d2114fc738e1749680
-
SHA512
f316587f48cf47d1e2ca2701f4a0fddbda7ce6112d7acd4b46157be8db4be8e12fc59452a5c89f47be740e9e44cd41024cc78d9bc1154f151aaa336203cb04ec
-
SSDEEP
3145728:Jb/JhGzT3Fqj4ileDOCimT+NuJVDQsXe+fQGfQ30iPwpLRQ:ZoxqffCDDeVPwpG
-
Modifies WinLogon for persistence
-
Modifies security service
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
9