General
-
Target
9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample
-
Size
854KB
-
Sample
210726-4pqxv18gae
-
MD5
1e27184759cc4099c0da73b152408281
-
SHA1
cf71196d88354a8324fdaa12013a4d80aa3b7c55
-
SHA256
9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec
-
SHA512
f74da0c39a57b612c1e7cc3c6079b3ddd1f3393728ad4e375e5bb116229d66db2811e948008447a29c1c738cf9a707b5e8d4c8ec69cccf47af2e4c8d2373e5cf
Static task
static1
Behavioral task
behavioral1
Sample
9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe
Resource
win10v20210408
Malware Config
Extracted
C:\README1.txt
VladimirScherbinin1991@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README1.txt
VladimirScherbinin1991@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample
-
Size
854KB
-
MD5
1e27184759cc4099c0da73b152408281
-
SHA1
cf71196d88354a8324fdaa12013a4d80aa3b7c55
-
SHA256
9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec
-
SHA512
f74da0c39a57b612c1e7cc3c6079b3ddd1f3393728ad4e375e5bb116229d66db2811e948008447a29c1c738cf9a707b5e8d4c8ec69cccf47af2e4c8d2373e5cf
Score10/10-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-