General

  • Target

    final.exe

  • Size

    30.0MB

  • Sample

    250121-hqhwcs1qhm

  • MD5

    61ef14853d67c019c701bd17d3a04908

  • SHA1

    d48fe9c056b9552f3ae762d0ab751b68f8f5ff70

  • SHA256

    c3140b5654db6fbb03763ba846613659c7328f5c5caafb65ddc2bb05cc81654e

  • SHA512

    cf120432ebe163880e4c3b879abc0f6bf74de8cabb45dbeb4028a0c7c015b6971d9daecfabb4091605993f7d81e86fd71c58b6719736d3dc03967bf5dd33704d

  • SSDEEP

    786432:H9Yidhz2W8A1YEA8o1QtIYa8DZcUTOl8fpGdO+OPHmEakjN06tcDIh:H9JaWfuskiIp61Hx+iHhakJ06tB

Malware Config

Targets

    • Target

      final.exe

    • Size

      30.0MB

    • MD5

      61ef14853d67c019c701bd17d3a04908

    • SHA1

      d48fe9c056b9552f3ae762d0ab751b68f8f5ff70

    • SHA256

      c3140b5654db6fbb03763ba846613659c7328f5c5caafb65ddc2bb05cc81654e

    • SHA512

      cf120432ebe163880e4c3b879abc0f6bf74de8cabb45dbeb4028a0c7c015b6971d9daecfabb4091605993f7d81e86fd71c58b6719736d3dc03967bf5dd33704d

    • SSDEEP

      786432:H9Yidhz2W8A1YEA8o1QtIYa8DZcUTOl8fpGdO+OPHmEakjN06tcDIh:H9JaWfuskiIp61Hx+iHhakJ06tB

    • Modifies Windows Defender Real-time Protection settings

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables cmd.exe use via registry modification

    • Drops file in Drivers directory

    • Possible privilege escalation attempt

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks