General
-
Target
6172462281424896.zip
-
Size
23KB
-
Sample
210405-wbyqlfbf1n
-
MD5
0345c8bcf2b3ca5b92daae42bf464cb7
-
SHA1
e7855542066360a2e43d91d6e1a5dc9be770918a
-
SHA256
c1c72f64714b281dd340072b0eece985949752d18c0a754648a76e29249fc672
-
SHA512
45014da0a7baef05c63377b7dafb7b1a850cd67718364f2c7c29cbec98ec433f33f558e1996a11e86a96264ca795b6521c82dea2a967b477eec3469ee9256a46
Static task
static1
Behavioral task
behavioral1
Sample
f6b60839de0ac933f0788bc1e12dee859950010f938a05544ad51c424954b9a6.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f6b60839de0ac933f0788bc1e12dee859950010f938a05544ad51c424954b9a6.exe
Resource
win10v20201028
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\628536743\readme-warning.txt
makop
fairexchange@qq.com
Targets
-
-
Target
f6b60839de0ac933f0788bc1e12dee859950010f938a05544ad51c424954b9a6
-
Size
36KB
-
MD5
d62a9ae1380402cc467cced405ba4aa0
-
SHA1
dd8b78ffe6fafb29ab8e4422e5e7f3429150c8c3
-
SHA256
f6b60839de0ac933f0788bc1e12dee859950010f938a05544ad51c424954b9a6
-
SHA512
2fe310be21c4e210956f9f0ebbeea2783a84e512292614af6c548701c41e559d9bec82c2f0cd2e08e52ef7d1cb1656449e1c96c9438ea3aeda0f5cf312713688
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-