General
-
Target
48FA665D88FF417E26595BD3C2D01E9762DF16E25787839206024BBD562828F9.zip
-
Size
39KB
-
Sample
210227-tgw3cgwzpa
-
MD5
263770f84adba2ed396928da1f9e663b
-
SHA1
e0f566b2496fae83685598d16018a0524cb39b25
-
SHA256
c73ff9a85af2fa72151ada4accca3b6e81ebd328831c6c3ccc24aea53b177262
-
SHA512
ac945684c4a279c037b4fe1f009842ebbd3856b61b97bfdf4ecaf1c7101a3fb7b06f10304cbc859fcb925246ceadfb5b24b19c8e67393c707dc9fd958d530f38
Static task
static1
Behavioral task
behavioral1
Sample
48FA665D88FF417E26595BD3C2D01E9762DF16E25787839206024BBD562828F9.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
48FA665D88FF417E26595BD3C2D01E9762DF16E25787839206024BBD562828F9.exe
Resource
win10v20201028
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
dert@airmail.cc
guxehys@mailfence.com
sparem@kolabnow.com
Extracted
C:\users\public\desktop\info.hta
dert@airmail.cc
guxehys@mailfence.com
sparem@kolabnow.com
Targets
-
-
Target
48FA665D88FF417E26595BD3C2D01E9762DF16E25787839206024BBD562828F9
-
Size
55KB
-
MD5
fe09fc020102ace1104f83600a7faf9d
-
SHA1
6b27a53c1da8300db990213a686c4820993df7a3
-
SHA256
48fa665d88ff417e26595bd3c2d01e9762df16e25787839206024bbd562828f9
-
SHA512
15c4c6d2a3e4fd14897e0a3fe9a95910cdd944a34126b1ab4f377ed2e1de0ee0e4f26e5efe0bcbb3e24c6136181feac7d870758249c3b23340c20729d6825d63
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-