878620ee8c892971d83f1317748b51cc8f6ecc1ca553269316697d75c4e9f4c4 | Triage

Sharing

General

Target

878620ee8c892971d83f1317748b51cc8f6ecc1ca553269316697d75c4e9f4c4.exe
Size

568KB
Sample

241120-wh58ks1drm
MD5

526c483a3dad08a67e3eabfcdf07135b
SHA1

9cc2d2cc813731ac53ccbd2fd4219184fc1f2b74
SHA256

878620ee8c892971d83f1317748b51cc8f6ecc1ca553269316697d75c4e9f4c4
SHA512

c17896d7d354c20339cd7995f8881b8e6b0b1cba5d7947fbfbac167de0e566ed4f922bfe92ce49e7ccdec295e7250a9f4d7ff7eadcc646a29b116f21dbb2ce1e
SSDEEP

12288:eaO2vM3cO60U7cxpmon4uuWlP5jqVvGY/7Oa4l5rikIo3:eaWbdQuMonflP5GvH/7z4lpikIO

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Targets

- Target
  
  878620ee8c892971d83f1317748b51cc8f6ecc1ca553269316697d75c4e9f4c4.exe
- Size
  
  568KB
- MD5
  
  526c483a3dad08a67e3eabfcdf07135b
- SHA1
  
  9cc2d2cc813731ac53ccbd2fd4219184fc1f2b74
- SHA256
  
  878620ee8c892971d83f1317748b51cc8f6ecc1ca553269316697d75c4e9f4c4
- SHA512
  
  c17896d7d354c20339cd7995f8881b8e6b0b1cba5d7947fbfbac167de0e566ed4f922bfe92ce49e7ccdec295e7250a9f4d7ff7eadcc646a29b116f21dbb2ce1e
- SSDEEP
  
  12288:eaO2vM3cO60U7cxpmon4uuWlP5jqVvGY/7Oa4l5rikIo3:eaWbdQuMonflP5GvH/7z4lpikIO
Score

10^/10

discovery evasion persistence spyware stealer trojan ransomware
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (76) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistencespywarestealertrojan

behavioral2

discoveryevasionpersistenceransomwarespywarestealertrojan