General
-
Target
Cracka.rar
-
Size
18.1MB
-
Sample
241206-fg8djsxjek
-
MD5
681be9b88898fa0cdb6f9a8f41b248ec
-
SHA1
ce3153537fc5bbe19524d475922b1423fdacd109
-
SHA256
a21839b1f4ec7d9fa765bedf282699bdd84ed354eebfc6317bd09674b01894fb
-
SHA512
7c8f4fa515cd839b25694fb5f0593b2fbd905100626718b7a4e32958a9a85f6c48ebf7235108d65c57e379bfd5760b1ca976cf0048e079a366118166ec79574b
-
SSDEEP
393216:V6/rhud0xQt8EJzrF3+Evma7sJ170jVMTZE3fzYXwKpuGqQM0j:V6NudcQxxOEvq8VMcYgKpVL
Malware Config
Targets
-
-
Target
Cracka.rar
-
Size
18.1MB
-
MD5
681be9b88898fa0cdb6f9a8f41b248ec
-
SHA1
ce3153537fc5bbe19524d475922b1423fdacd109
-
SHA256
a21839b1f4ec7d9fa765bedf282699bdd84ed354eebfc6317bd09674b01894fb
-
SHA512
7c8f4fa515cd839b25694fb5f0593b2fbd905100626718b7a4e32958a9a85f6c48ebf7235108d65c57e379bfd5760b1ca976cf0048e079a366118166ec79574b
-
SSDEEP
393216:V6/rhud0xQt8EJzrF3+Evma7sJ170jVMTZE3fzYXwKpuGqQM0j:V6NudcQxxOEvq8VMcYgKpVL
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Renames multiple (89) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1