General
-
Target
17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80.exe
-
Size
14.8MB
-
Sample
241122-j9fqsaxlgt
-
MD5
3da089c1ed8bb4643f95aafea7150310
-
SHA1
ea6376ccb7c27a5c5daee560935806370c094861
-
SHA256
17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80
-
SHA512
cc76b08edd17ef89d9ecf01c433070882e05b1147acf2a4e69b17997d0c026f9196b1bc6b3a6186281c7b8f0189fb9f4b54706b4ad566643f7d4da22cba94594
-
SSDEEP
393216:h6JN7+zbZFph3fBXKfiyuoDliKXzyuMxM0XbcE:4mbZFph3NKjsqydxM0XbJ
Malware Config
Targets
-
-
Target
17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80.exe
-
Size
14.8MB
-
MD5
3da089c1ed8bb4643f95aafea7150310
-
SHA1
ea6376ccb7c27a5c5daee560935806370c094861
-
SHA256
17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80
-
SHA512
cc76b08edd17ef89d9ecf01c433070882e05b1147acf2a4e69b17997d0c026f9196b1bc6b3a6186281c7b8f0189fb9f4b54706b4ad566643f7d4da22cba94594
-
SSDEEP
393216:h6JN7+zbZFph3fBXKfiyuoDliKXzyuMxM0XbcE:4mbZFph3NKjsqydxM0XbJ
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
5