General

  • Target

    final.exe

  • Size

    30.0MB

  • Sample

    250121-j7r12avlhy

  • MD5

    8af1201429eed51318ebdfabd6854fed

  • SHA1

    dce0725a5a2ed8c53905f3efa0ea5bd833f5490a

  • SHA256

    f8877434b24d0ef8900e9f809cf3de517de1c8ec3ce1f79a50db24e957bf810c

  • SHA512

    3b3dd77e121e0b2211d0b756cf5c11620a1a8db17c1a8225e73db7bece2fafae9457ad835eff04f27db6c1a0336c013719a16d7dab12c998a8eb3691fbf85d2a

  • SSDEEP

    786432:hG9Yidhz2W8A1YEA8o1QtIYa8DZcUTOl8fvGdO+TKPHmEakjN06tcDIn:89JaWfuskiIp61HT+TOHhakJ06tB

Malware Config

Targets

    • Target

      final.exe

    • Size

      30.0MB

    • MD5

      8af1201429eed51318ebdfabd6854fed

    • SHA1

      dce0725a5a2ed8c53905f3efa0ea5bd833f5490a

    • SHA256

      f8877434b24d0ef8900e9f809cf3de517de1c8ec3ce1f79a50db24e957bf810c

    • SHA512

      3b3dd77e121e0b2211d0b756cf5c11620a1a8db17c1a8225e73db7bece2fafae9457ad835eff04f27db6c1a0336c013719a16d7dab12c998a8eb3691fbf85d2a

    • SSDEEP

      786432:hG9Yidhz2W8A1YEA8o1QtIYa8DZcUTOl8fvGdO+TKPHmEakjN06tcDIn:89JaWfuskiIp61HT+TOHhakJ06tB

    • Modifies Windows Defender Real-time Protection settings

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables cmd.exe use via registry modification

    • Drops file in Drivers directory

    • Possible privilege escalation attempt

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks