General

  • Target

    Killer.Clown.2.6.exe

  • Size

    145.7MB

  • Sample

    241115-tecqraxcjj

  • MD5

    44cfcde320eba114cd17c8dbc8493dca

  • SHA1

    028aa1e571e44fdb690ed5dc427ee2b86948f26e

  • SHA256

    d576f41874ceffd0c3e0d512a9602b8ef4c82e57d1a274d2114fc738e1749680

  • SHA512

    f316587f48cf47d1e2ca2701f4a0fddbda7ce6112d7acd4b46157be8db4be8e12fc59452a5c89f47be740e9e44cd41024cc78d9bc1154f151aaa336203cb04ec

  • SSDEEP

    3145728:Jb/JhGzT3Fqj4ileDOCimT+NuJVDQsXe+fQGfQ30iPwpLRQ:ZoxqffCDDeVPwpG

Malware Config

Targets

    • Target

      Killer.Clown.2.6.exe

    • Size

      145.7MB

    • MD5

      44cfcde320eba114cd17c8dbc8493dca

    • SHA1

      028aa1e571e44fdb690ed5dc427ee2b86948f26e

    • SHA256

      d576f41874ceffd0c3e0d512a9602b8ef4c82e57d1a274d2114fc738e1749680

    • SHA512

      f316587f48cf47d1e2ca2701f4a0fddbda7ce6112d7acd4b46157be8db4be8e12fc59452a5c89f47be740e9e44cd41024cc78d9bc1154f151aaa336203cb04ec

    • SSDEEP

      3145728:Jb/JhGzT3Fqj4ileDOCimT+NuJVDQsXe+fQGfQ30iPwpLRQ:ZoxqffCDDeVPwpG

    • Modifies WinLogon for persistence

    • Modifies security service

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks