General

  • Target

    92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09

  • Size

    61KB

  • Sample

    210418-q2crs95e5n

  • MD5

    077fccc46159f8ccd79fcd50787db1c9

  • SHA1

    288635e27276ba6da3291d0982a8f0f23ae0065e

  • SHA256

    92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09

  • SHA512

    6028a1b66ea3e6baae6c11005596c6a6fff982d132ad23c502bf57c5d0995829f983963ba451142f2780214da6c8588e8f83b2972d289367300094fee9cebe74

Malware Config

Targets

    • Target

      92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09

    • Size

      61KB

    • MD5

      077fccc46159f8ccd79fcd50787db1c9

    • SHA1

      288635e27276ba6da3291d0982a8f0f23ae0065e

    • SHA256

      92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09

    • SHA512

      6028a1b66ea3e6baae6c11005596c6a6fff982d132ad23c502bf57c5d0995829f983963ba451142f2780214da6c8588e8f83b2972d289367300094fee9cebe74

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Impact

Defacement

1
T1491

Tasks