Overview

overview

10

Static

static

10

VerdacryptorV5.ps1

windows7-x64

3

VerdacryptorV5.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VerdacryptorV5.ps1

  • Size

    34KB

  • Sample

    250328-yt6plaz1gw

  • MD5

    264c23138c8fa42c5349b813eaceadef

  • SHA1

    9b6775c974c762e3623e5a4d6a5889abb4c5483d

  • SHA256

    0d04aa56dc4d408adec27419813e9ab81841a0df73fc8a27844eb930ca7b7d19

  • SHA512

    4738506caa97ca0b07fc929abef76d8f1e9ef13139701101985457763a7cc5d13536f336879f2cab966618f55aa451768be646e04a98876a0ea2d8476384dbb6

  • SSDEEP

    384:thz/s2UBSzj5mMEEpi0D04eEMls/11AUfoUHaWPw3+4CFYw5jIyJyXY:EM5mME00xEbrl6Yq+409IrXY

Score
10/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalationransomware

Malware Config

Targets

    • Target

      VerdacryptorV5.ps1

    • Size

      34KB

    • MD5

      264c23138c8fa42c5349b813eaceadef

    • SHA1

      9b6775c974c762e3623e5a4d6a5889abb4c5483d

    • SHA256

      0d04aa56dc4d408adec27419813e9ab81841a0df73fc8a27844eb930ca7b7d19

    • SHA512

      4738506caa97ca0b07fc929abef76d8f1e9ef13139701101985457763a7cc5d13536f336879f2cab966618f55aa451768be646e04a98876a0ea2d8476384dbb6

    • SSDEEP

      384:thz/s2UBSzj5mMEEpi0D04eEMls/11AUfoUHaWPw3+4CFYw5jIyJyXY:EM5mME00xEbrl6Yq+409IrXY

    Score
    10/10
    executiondefense_evasiondiscoverypersistenceprivilege_escalationransomware

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

      persistence

    • Clears Windows event logs

      defense_evasionransomware

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Adds Run key to start application

      persistence

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Power Settings

1
T1653

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Hide Artifacts

1
T1564

Hidden Window

1
T1564.003

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks