hxxps://gofile[.]io/d/EDCgVR

General

Target

https://gofile.io/d/EDCgVR
Sample

250402-rt5zqs1kx6

Score

10^/10

Malware Config

Targets

- Target
  
  https://gofile.io/d/EDCgVR
Score

10^/10

defense_evasion discovery execution exploit impact persistence privilege_escalation ransomware
- Modifies WinLogon for persistence
  persistence
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Renames multiple (61) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Looks for VMWare Tools registry key
  defense_evasion
- Possible privilege escalation attempt
  exploit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
behavioral1