General

  • Target

    4803666962055168.zip

  • Size

    623KB

  • Sample

    201126-vd6l9pfy2n

  • MD5

    629734a78995ca6f641cb616911ae6e6

  • SHA1

    6cf386bd485fd7b6f43593b19bb925c742743d5d

  • SHA256

    9c3337e7502acba72dc28d5f94ad017092401b8348fa9be1ef6ba2e928776257

  • SHA512

    077b11074c007ecae5cfd1b36cbb6871128fdb3bfd6a1599e9534b68e3ab8ebf35cf509069adf9fc19f1c29a947803e1da749e8fd0531fb33a84bd14650939bb

Malware Config

Targets

    • Target

      30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513

    • Size

      710KB

    • MD5

      a7d58a3a9f2ff3e1fefd69ed12cceeb1

    • SHA1

      2fb79bef67a697450313f3d13ef121f9e6bd96a8

    • SHA256

      30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513

    • SHA512

      d22f6acf66fa9e2f97026f934a782175c61de393ee5a21c3e94c337939dc33dd39f104a1cde445d034abb29846b0577b3804762f45abdec554cd4f2d8e95ae25

    • Modifies Windows Defender Real-time Protection settings

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Modifies service settings

      Alters the configuration of existing services.

    • Stops running service(s)

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

3
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Impair Defenses

1
T1562

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Impact

Service Stop

1
T1489

Tasks