General
-
Target
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
-
Size
1.3MB
-
Sample
210922-rz7qhsdae5
-
MD5
64213e0f66738792dafd21a9d45f9d5b
-
SHA1
70ebd893b56767ac910a8f045fd60eb089de1bcc
-
SHA256
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
-
SHA512
eaa238690175f87a716198e6fd840bdf95bf2c21147b871418592c4d3be658f98bad9c9e758f08f5f37532fa5200f148ea3425ce98b6864e82c8acfd55870124
Static task
static1
Behavioral task
behavioral1
Sample
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e.exe
Resource
win10-en-20210920
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
-
Size
1.3MB
-
MD5
64213e0f66738792dafd21a9d45f9d5b
-
SHA1
70ebd893b56767ac910a8f045fd60eb089de1bcc
-
SHA256
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
-
SHA512
eaa238690175f87a716198e6fd840bdf95bf2c21147b871418592c4d3be658f98bad9c9e758f08f5f37532fa5200f148ea3425ce98b6864e82c8acfd55870124
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-