04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5

General

Target

04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
Size

127KB
MD5

d449503da4a13fd6e8c8f15dde16949b
SHA1

d9ede4f71e26f4ccd1cb96ae9e7a4f625f8b97c9
SHA256

04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5
SHA512

71b602332851adb5549a8e780d351fd694691eb1c2dc286a7834d2d50a239a05aed8742e0e3b05fabfd8e272cd2fc68d3b6489d69ec3494c88f867f6e3eb8a6c

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnpublishReset.raw => C:\Users\Admin\Pictures\UnpublishReset.raw.KARMA	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File renamed	C:\Users\Admin\Pictures\FormatProtect.tif => C:\Users\Admin\Pictures\FormatProtect.tif.KARMA	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File renamed	C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.KARMA	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File renamed	C:\Users\Admin\Pictures\SwitchConvert.raw => C:\Users\Admin\Pictures\SwitchConvert.raw.KARMA	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe

description	ioc	process
File opened (read-only)	\??\G:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\J:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\P:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\V:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\Z:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\N:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\R:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\B:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\E:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\F:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\L:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\Y:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\Q:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\S:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\A:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\H:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\I:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\K:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\M:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\O:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\T:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\U:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\W:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
File opened (read-only)	\??\X:	04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe

C:\Users\Admin\AppData\Local\Temp\04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe
"C:\Users\Admin\AppData\Local\Temp\04f76d44db4c3a8d810348f65e539f8d65af3ee764c058290033da8f5c508fc5.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
PID:1720