General
-
Target
241019-x646vstfnf_pw_infected.zip
-
Size
77KB
-
Sample
250128-w92pgaxpcv
-
MD5
68276ea5159856b58c5662c2c451d887
-
SHA1
e243926fded3895bc673ac403629868fc2088c21
-
SHA256
6b76ec5da7265a0b2a2ad097d0780665644f532680effb53b6e95ce60d0bd2fd
-
SHA512
8a6a5fae882143ab9fc01948670d65cf902a9a9725ae767e2796473f71f7e5e4b5ad3346237a086bb63996bd8d2fa9df2d4664d655fec6c6f97bbd58c5de605f
-
SSDEEP
1536:a/Mw2IoGjLREU6+FVH/g/iG5t9MR0DXJOjEKxjibHzVfEGpNrqb7xeWtoPn0oWig:QMhIdLCUJ9OiG5tS01O5jEzVm7xeWuPE
Malware Config
Targets
-
-
Target
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
-
Size
144KB
-
MD5
89895cf4c88f13e5797aab63dddf1078
-
SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5
-
SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
-
SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2
-
SSDEEP
3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Ryuk family
-
Renames multiple (8042) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1