General
-
Target
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf
-
Size
147KB
-
Sample
211018-tt2nesehbp
-
MD5
3198bf588f0ee33319b419d4a647d7ba
-
SHA1
3bdff0596222f364e4bfc0a5874fda0317e21042
-
SHA256
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf
-
SHA512
c850bf984b98b52afbc2cc5ef52009bfeb695d165c5466adcb520ba5ce546a56018856021b1230105a0246840cde169e19d4b5ee762766e7bda54995a42f98cc
Static task
static1
Behavioral task
behavioral1
Sample
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf.exe
Resource
win10-en-20211014
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1
Targets
-
-
Target
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf
-
Size
147KB
-
MD5
3198bf588f0ee33319b419d4a647d7ba
-
SHA1
3bdff0596222f364e4bfc0a5874fda0317e21042
-
SHA256
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf
-
SHA512
c850bf984b98b52afbc2cc5ef52009bfeb695d165c5466adcb520ba5ce546a56018856021b1230105a0246840cde169e19d4b5ee762766e7bda54995a42f98cc
Score10/10-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Drops startup file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-