General
-
Target
sample1.zip
-
Size
9KB
-
Sample
211027-ktq29abbd8
-
MD5
3965d7736e0743be34167a40d2cfc254
-
SHA1
2836eec65f0a72c234ebf2e0389934316ad70036
-
SHA256
89887eed284bfd0444ab36df7302b5b5732898d1a32e11440ec39c059dba4e3d
-
SHA512
9c118512eeb73510ac8868064079c4a0ffe0e4d37db9c30aa0bdba7ce8d2ef4e0cff72a69fa90dcd943386c739199fbc6f2076f98a586a97ce366c356957383d
Static task
static1
Behavioral task
behavioral1
Sample
dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Resource
win11
Behavioral task
behavioral3
Sample
dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Resource
win10-en-20211014
Malware Config
Extracted
C:\[HOW TO RECOVER FILES].TXT
prolock
support981723721@protonmail.com
http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion
Targets
-
-
Target
dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample
-
Size
14KB
-
MD5
3355ace345e98406bdb331ccad568386
-
SHA1
81d5888bb8d43d88315c040be1f51db6bb5cf64c
-
SHA256
dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178
-
SHA512
55223ee6f387252a401e62cd5b619afafcb3d63cb33cd1b9a12d782dadc9e68b95062363863f70f13eb28f751da710b78161f7efda464d66b1f98741e56f50e1
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Deletes itself
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-