9e0723c997227302cf234f9ae3888b0b18a4a1ec892ecab86aad3279ca455ee2 | Triage

Resubmissions

14-12-2024 01:58

241214-cd5lpsspev 10

14-12-2024 01:33

241214-byxk6atrfq 10

Sharing

General

Target

a7b4ded56a745d078dfc02c6302d136e.bin
Size

201KB
Sample

241214-byxk6atrfq
MD5

96ebf3d7b8a914b113276ff6e3c2f15d
SHA1

666d56a182225667f132ca7971c821e68bde02b5
SHA256

9e0723c997227302cf234f9ae3888b0b18a4a1ec892ecab86aad3279ca455ee2
SHA512

d549e8ada87f0c1f051de180158f1743b99882478c3b9647a629384c733bb1d7610faf7815c9a4dc0b72ede212dccb1263e846084a06dede64ae03862d4b1123
SSDEEP

6144:q/wRIQvIVaQS2qe1hLcQQbNHP4DB+n1Mlaq+BT79e6X:q/BQvqnS2hwhcM1mR+BT7nX

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Targets

- Target
  
  13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
- Size
  
  422KB
- MD5
  
  a7b4ded56a745d078dfc02c6302d136e
- SHA1
  
  20b7e3930741e1ab3ab0f2f74617062b47fffbd8
- SHA256
  
  13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3
- SHA512
  
  0f3320c525141c3eea4ae28a199327f28784fa5f53f81b8abfeb2d5ae620286fdf1b60def07db8d256623f255f8ebd18c06b5880d423e58477686fb4cda79ea5
- SSDEEP
  
  6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbb:RhDdkybr/J2tx2VeFusZXQJhkeFhbb
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (224) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

behavioral2

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware