General

  • Target

    final.exe

  • Size

    29.8MB

  • Sample

    250120-m7rl2swnck

  • MD5

    76d83650325071a6c6bfeceec680c978

  • SHA1

    367dfdfc50c6b4d99464f2e060ddd802cd9e3b65

  • SHA256

    a5579009f2a93ff502f3c43bd03f0da30b23cbc600a91e11ac3ebfb51fc0a665

  • SHA512

    7852e16176610312992d6966d4b41195ca643a5d3c58d76d164bb4ff71d47f9d776664e2c0d0d5711e9bf556650638f2c8bc5a4195b961f86a1d33d6d2232f4a

  • SSDEEP

    786432:e9Yidhz2W8A1YEA8o1QtIYa8DZcUTOl8fRGdO+IPHmEakdN0UcDIR:e9JaWfuskiIp61HZ+0Hhak30UB

Malware Config

Targets

    • Target

      final.exe

    • Size

      29.8MB

    • MD5

      76d83650325071a6c6bfeceec680c978

    • SHA1

      367dfdfc50c6b4d99464f2e060ddd802cd9e3b65

    • SHA256

      a5579009f2a93ff502f3c43bd03f0da30b23cbc600a91e11ac3ebfb51fc0a665

    • SHA512

      7852e16176610312992d6966d4b41195ca643a5d3c58d76d164bb4ff71d47f9d776664e2c0d0d5711e9bf556650638f2c8bc5a4195b961f86a1d33d6d2232f4a

    • SSDEEP

      786432:e9Yidhz2W8A1YEA8o1QtIYa8DZcUTOl8fRGdO+IPHmEakdN0UcDIR:e9JaWfuskiIp61HZ+0Hhak30UB

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables cmd.exe use via registry modification

    • Drops file in Drivers directory

    • Possible privilege escalation attempt

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks