General
-
Target
Windows_Activator.msi
-
Size
91.7MB
-
Sample
250328-1g6j6stls2
-
MD5
16bb1e428b2b74fe63b3a927a08bb78c
-
SHA1
6ce14b587b463bb997ce972dbde1d1a67549f55f
-
SHA256
e8abbc51707b68cca30ecfe80efd6eeee973eb9db5c59435235273064385e215
-
SHA512
a389e44dfcbe1245e16f7e7947dd7b5e727bb78796a62284e65887ec40da0dc36f3c87bf3470eec79e5d3e859ab6902405c5dac387986045c97b997ed54fa6de
-
SSDEEP
1572864:QexuiLcspU3rbhowV2e5t+H7b8REE+T649ua4GWbslX3hriLaIIPXEK3:Qe9LcsArVL5tzE7T64wa4GdX3hriLahb
Malware Config
Targets
-
-
Target
Windows_Activator.msi
-
Size
91.7MB
-
MD5
16bb1e428b2b74fe63b3a927a08bb78c
-
SHA1
6ce14b587b463bb997ce972dbde1d1a67549f55f
-
SHA256
e8abbc51707b68cca30ecfe80efd6eeee973eb9db5c59435235273064385e215
-
SHA512
a389e44dfcbe1245e16f7e7947dd7b5e727bb78796a62284e65887ec40da0dc36f3c87bf3470eec79e5d3e859ab6902405c5dac387986045c97b997ed54fa6de
-
SSDEEP
1572864:QexuiLcspU3rbhowV2e5t+H7b8REE+T649ua4GWbslX3hriLaIIPXEK3:Qe9LcsArVL5tzE7T64wa4GdX3hriLahb
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Disables Task Manager via registry modification
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Modifies WinLogon for persistence
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Authentication Process
1Modify Registry
2System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1