General
-
Target
123.exe
-
Size
9.3MB
-
Sample
210506-vtze7pgdv6
-
MD5
49e1e065b2d619c84ce34f2bf5b04105
-
SHA1
3b4c8300fcc847c715a6f8d9606c3daabfa9365d
-
SHA256
c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d
-
SHA512
d28e8663ee08923b0b4ba8729329bd25ca054db648f3fb43aa037e1cc87e725954450f5d132457dc506836f03d8c5faa3c2031b2624a7be011037179e6ef06b1
Static task
static1
Behavioral task
behavioral1
Sample
123.exe
Resource
win7v20210410
Malware Config
Extracted
C:\Users\Admin\Desktop\@LegionReadMe@.txt
CobraLocker@mail2tor.com
131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
http://mail2tor2zyjdctd.onion/
Targets
-
-
Target
123.exe
-
Size
9.3MB
-
MD5
49e1e065b2d619c84ce34f2bf5b04105
-
SHA1
3b4c8300fcc847c715a6f8d9606c3daabfa9365d
-
SHA256
c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d
-
SHA512
d28e8663ee08923b0b4ba8729329bd25ca054db648f3fb43aa037e1cc87e725954450f5d132457dc506836f03d8c5faa3c2031b2624a7be011037179e6ef06b1
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-