Extracted

Extracted

• • Target

    c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c

  • Size

    203KB

  • MD5

    cefd366a2c000d9bbbd35dfd0a73311d

  • SHA1

    0864171c1e033067b04317979803d97f1c90c85b

  • SHA256

    c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c

  • SHA512

    5f43b27b0495afb6ded495816405efe4a0d77b9991f56b7bfd09cd56d3ae890ec8dc2461a1806b2131edeaafc15d3478b471d1ef0376f9f78128eff539451040

  Score

  10^/10

  evasionpersistenceransomware

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Downloads PsExec from SysInternals website

    Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Drops startup file

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon

    persistence
  behavioral1behavioral2