Overview

overview

10

Static

static

1

4b4a87552c...1e.dll

windows7-x64

8

4b4a87552c...1e.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e.dll

  • Size

    206KB

  • Sample

    241216-cpmj9symgw

  • MD5

    fccd129f6a5b9d2133d14922a3614f02

  • SHA1

    e814c637e6f0c21f3aa9b43fb92cb161b4d451fc

  • SHA256

    4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

  • SHA512

    c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979

  • SSDEEP

    3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :061BA3329590C150DF53FAE25770682AD38ABDE3D21BCF9A5E0633657F7CBE4089C4503BDDE62DCC1D25E2E10EF57100CBD307F3C867C8030B3E7027259875C544BAE2B18B4105D96E8B39E6C7A4A7C523E2272D2C44FAD3814A568100E7B6F68BB72CF4CA65B9CC7BBB028064A4EC746A3C6AE949D1CA05627B200745608EFDE9BDEBDE99F7DCDE28F67A76805B19F8A606990BAA44508E7603A31B12AEB883461AF5690542BA1F68A3CBF7DBB88F04A2E26CCA981818DEAC16402C23F65DF082045EF161E7812C2F5F038933558FA93B29C11A81196088BBDCF2988206F5A9979CDB99634AD1E8783D15F8F9EA42C9936045F8D907ABDD89CA8318B0650958651B592AA820A9772B5438875BB301283FD5E28BF699C8D5EE7E7EA366516F1AD8E4ACA4D0358A2EC06AC158C688A53375E2B284945A53C96C4FA6D344346C0805FE45F1B604BC34695962910424F06435D977379666C55365AF79F280201E4CE728C5ED0293103C32F14169DC4F1CF554AFD84B1B498607DB1BEC8F7DC1A8CDC129A973EAF2CE2E28E36DFE815199DE1A495EB5BAB775F366A6FFA5C9EE4842915287A4AE21F34A08A9A9C8287201754CDD2747FF3CBE410A631B50BA2E803CC8095202171108B47ED0446A11D1E8DE62ED4BFF8611DB5A830DCE48E9FD6B71F33770795518634D6E28C2227CE949410301FB76D666AEB3839BFC758505184600C1D46C1AA4DD335D39F5F6E0B586458CCB51A51BD9A29F9ACA9EE10AFD2E25A43AC0033DA9B34468F3EF00915F61B0D54EF9AC1E51F0E1A8526EC3855BD2CE9F6C604BA8D89609C2B2DD593D482F5184F820688F2A3C6D49EB807EEBFC415E5D789F0C8B2EECB961EF403619BF7A61D23BB6E281D8C0BE135397B2F130971BB4174D85B51FB442004019821559137B54B20BDF087E14F837890F72824FECA3D44755FC0FA2880829EE59735226C02D950FB24FABB5592DCE00F2352054041BE61993F0AA6161DE72436F238AAE4BFB5A673D709D66E7BA548A1E3FF7701C8B886806BC284BC5FFD9D33166B4B3ABDE7C5287B1206637AD610ED62D34836E54A8FF39E2E94642C147E9EC5439DEDAC174F767E0AB4281A596BC481E58E9B9FD1429AFEC7AE2A9E102DE3C6B1898F02CE9BB029E1DC6F57031334A85917B912BAAD45970AFE5A6629F3C70E0B94FC6AE1CC3F734F30DB74DDD513AED50A1CD0635A94847D271BFF29254AAE9097E4C2F5A2A018AB6858A93A92AB25E65874129AF6F0422D09D92A662B6761BF3C33D7CC6155A096FF8986AC650F44B8E0778C06675369E42A8EA9F3BB11F06A02F6425411383EF61158C49B5D8C42389CCC1D4456C66BA7F1840C2AE5967AC0F6A44F2590269CC6C55937B3F003A54EE5F71E9B625639AA28AB0F723A3C6FAA7F0E291CD38915B1D21BC24027E87768DE1D68BA9950279BA47552052EF09205961EC4092321EEB4F56B89CF0B85226FDBD5A47C86C11773C9DDD2585480E08581C6E202BDEADFF92458980C5B453496B15772B810633478037501D1E8D7475F4DEE4081DE6FF9A61C662BA7CE286CA79328921E9E381BFF4F1F5AD3A925B52D41A65BF62441FCA39EBACFF0E13AA0854AE1FE008BF957E28BDB1BC2742244365EA3DB33BC939BC71D82CF282CE65E9D8484C7B99BD22489AFA7B9AB414AB74AEC9432FD55CAEF203D22ECB5D506BC32BE38F69B6074DE32F8FF597F98CE0BDE1E93123D344AA045C080866AC711274758ABC19E0B1FF12E08B6B7668385409E167E0B37773EB77E02DFF8A5FCCD4E826069F127AAB34E89C9CE26DD6453228DE1C5B68412DF9F87F67DE21FF827E5409A0A123ECB29FF33765B4CB1239C9DC9623E490C49D67A17C4FBF73F00706BB4A4C23A59AAF8330FE25B7E778B0FF3ED04FE72AA1371BF6770E9EB4F68A48DE79D9AEAAD7AA1AD22FCC50172B017B5C9783AACF1A2851F23EE9D3B4F8979F17026763274750F23BBF8719DFA535E786157DBA9CAFE160E52B31685EAA554CC45E73B25C3AA9EA54181202607D94BB3F340158C439523B7C4AA8D30ACF27F0B384875A3DA0937D52FD2EDF567E19081F7B2AFBCE1653B4F224128797B469259D9DC3C3BBE5D968EC2823F5DE9FD39A37E74227FE440CDAF0FF98E495175FB8926C0E78411D2E1FE3D74A6D526B775143E2764891E2607F126A3F808F9325A07A12ABACFF86420B0D730526D115F5C1A266403317AAF8F63306E5EDFD54A1DB85C65D711CCD97A71DDF2A47F9C891F21CA9A91F6D80297B5BABAF9BEF94DF6DC5C65E32D287CEBD829FCC8ECEDE19535E55F69D3D0CD71643FED484AC10EDBFC01C8C71132829F1FE2C59035E2850AE

Targets

    • Target

      4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e.dll

    • Size

      206KB

    • MD5

      fccd129f6a5b9d2133d14922a3614f02

    • SHA1

      e814c637e6f0c21f3aa9b43fb92cb161b4d451fc

    • SHA256

      4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

    • SHA512

      c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979

    • SSDEEP

      3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

    Score
    10/10
    discoveryexecutioncredential_accessdefense_evasionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks