General
-
Target
efdzdfzedzed.msi
-
Size
91.6MB
-
Sample
250401-t5dqqsvms8
-
MD5
2d5c493e62a6949d4a8b093ec866fe33
-
SHA1
112b213e8e6e9135ea75485511fe69de5e43e45a
-
SHA256
e2d230e34b9ee9bd696956826ed35333ecd1ec0a9b3fd8451cb20202e26ed5f7
-
SHA512
2ae3c09383256c1f15809b006f5cd88f2c78d4ded61c69817ac87ef581c5c230dd0f387f1954a611d4d9b7c1d914ea5c1ddd54be59c847b644501b375efc06d0
-
SSDEEP
1572864:yoc2yEeTT7Ha7ZpSBhSd/KfggDzlC4n14SSWRrHA2o+osfiNs0mAAUaMnaSxxUMU:VcHTeZw4KVzlLn1rSQrHdoi0mAAxuJpC
Malware Config
Targets
-
-
Target
efdzdfzedzed.msi
-
Size
91.6MB
-
MD5
2d5c493e62a6949d4a8b093ec866fe33
-
SHA1
112b213e8e6e9135ea75485511fe69de5e43e45a
-
SHA256
e2d230e34b9ee9bd696956826ed35333ecd1ec0a9b3fd8451cb20202e26ed5f7
-
SHA512
2ae3c09383256c1f15809b006f5cd88f2c78d4ded61c69817ac87ef581c5c230dd0f387f1954a611d4d9b7c1d914ea5c1ddd54be59c847b644501b375efc06d0
-
SSDEEP
1572864:yoc2yEeTT7Ha7ZpSBhSd/KfggDzlC4n14SSWRrHA2o+osfiNs0mAAUaMnaSxxUMU:VcHTeZw4KVzlLn1rSQrHdoi0mAAxuJpC
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Disables Task Manager via registry modification
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Modifies WinLogon for persistence
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Authentication Process
1Modify Registry
2System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1