hiddentear | fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd

Resubmissions

03-08-2021 07:41

26-07-2021 12:41

Target

fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe
Size

207KB
MD5

900c456cbcd61ed2bf91378112e93eb0
SHA1

c227ca088a4f80729b83396cafa0152d9778254e
SHA256

fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd
SHA512

e9e71efbe7e70ece0d5022c401d6cb8c808237946b6a30fcfe18d8d43ea93460c04977015daf05a7baa5a9f1467c5ffdcf499a52706c27a0055529a3f38f0ba7

Score

10^/10

HiddenTear Ransomware
Open-Source ransomware available on Github since 2015, with many versions in the wild.
ransomware hiddentear
suricata: ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI
suricata
suricata: ET MALWARE Reimageplus Ransomware Checkin
suricata

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DisableMerge.png => C:\Users\Admin\Pictures\DisableMerge.png.klavins	fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe

memory/3408-114-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3408-116-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/3408-117-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3408-118-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3408-119-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download