Overview

overview

10

Static

static

10

Verdacrypt#232.ps1

windows7-x64

3

Verdacrypt#232.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Verdacrypt#232.ps1

  • Size

    34KB

  • Sample

    250330-vlgtqasyc1

  • MD5

    bfb119ecc5767fce155199d439d2ef6a

  • SHA1

    206a16a8cd984bc227baf921cc8d3da6032e6a4f

  • SHA256

    1e6a72c58db5d7224f81cd51b0e2b591b3469c838d2e1bc64d06d64a666657fd

  • SHA512

    806cd232681dcf54f46e3012ec85133417263a590640faada18cf38162eacd6b729d0dc7a254a7378d1820d3198227ebda739191f4c0ce0a17e64b3c23b27ba2

  • SSDEEP

    384:tqz/sIUBSzj5mMEEpi0D04eEMls/11AUfoUHadPw3+4CFYw5jICfyQY:1M5mME00xEbrl6Bq+409I9QY

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Targets

    • Target

      Verdacrypt#232.ps1

    • Size

      34KB

    • MD5

      bfb119ecc5767fce155199d439d2ef6a

    • SHA1

      206a16a8cd984bc227baf921cc8d3da6032e6a4f

    • SHA256

      1e6a72c58db5d7224f81cd51b0e2b591b3469c838d2e1bc64d06d64a666657fd

    • SHA512

      806cd232681dcf54f46e3012ec85133417263a590640faada18cf38162eacd6b729d0dc7a254a7378d1820d3198227ebda739191f4c0ce0a17e64b3c23b27ba2

    • SSDEEP

      384:tqz/sIUBSzj5mMEEpi0D04eEMls/11AUfoUHadPw3+4CFYw5jICfyQY:1M5mME00xEbrl6Bq+409I9QY

    Score
    10/10
    executiondefense_evasiondiscoveryimpactpersistenceprivilege_escalationransomware

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

      persistence

    • Clears Windows event logs

      defense_evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Adds Run key to start application

      persistence

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Power Settings

1
T1653

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Window

1
T1564.003

Indicator Removal

3
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.