General
-
Target
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952
-
Size
60KB
-
Sample
210412-5wsk5sahc2
-
MD5
a53e1725d0d8f8c4616c625e113d3426
-
SHA1
733ec0a491555e4563839ef273b66cb94f0c4163
-
SHA256
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952
-
SHA512
20abc180c481c21422aca29b17fd11b3200d2a84ee08bc68c747b4e91dc01f904829b0c224d02006d0fe0f895b0422b3f74883c9dad504b5bd560ec18da0e7ed
Static task
static1
Behavioral task
behavioral1
Sample
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952.exe
Resource
win10v20201028
Malware Config
Extracted
\??\c:\users\admin\desktop\info.txt
https://icq.com/windows/
https://icq.im/Polsat
Extracted
C:\users\public\desktop\info.hta
https://icq.com/windows/
https://icq.im/Polsat
Targets
-
-
Target
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952
-
Size
60KB
-
MD5
a53e1725d0d8f8c4616c625e113d3426
-
SHA1
733ec0a491555e4563839ef273b66cb94f0c4163
-
SHA256
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952
-
SHA512
20abc180c481c21422aca29b17fd11b3200d2a84ee08bc68c747b4e91dc01f904829b0c224d02006d0fe0f895b0422b3f74883c9dad504b5bd560ec18da0e7ed
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-