General
-
Target
lsass.exe
-
Size
62KB
-
Sample
210506-apjt1p8ebs
-
MD5
ab7b66ee5385cb473b9c15db3e239692
-
SHA1
5875f07b7b8174284ca15e4d5f53942e0d736024
-
SHA256
8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc
-
SHA512
1a9139af13dacb7cc0022b1216d725e39cfe3668384caf6942705bd1cad263368c4b305f7ccd649cd9bee3be5817029fd410bd02deff34c6b73d8159f2aae280
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20210408
Malware Config
Extracted
C:\users\public\desktop\info.hta
nilaron@firemail.cc
zezoxo@libertymail.net
togerpo@zohomail.eu
Extracted
C:\info.hta
nilaron@firemail.cc
zezoxo@libertymail.net
togerpo@zohomail.eu
Targets
-
-
Target
lsass.exe
-
Size
62KB
-
MD5
ab7b66ee5385cb473b9c15db3e239692
-
SHA1
5875f07b7b8174284ca15e4d5f53942e0d736024
-
SHA256
8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc
-
SHA512
1a9139af13dacb7cc0022b1216d725e39cfe3668384caf6942705bd1cad263368c4b305f7ccd649cd9bee3be5817029fd410bd02deff34c6b73d8159f2aae280
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-