General
-
Target
af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74.bin.sample.gz
-
Size
15KB
-
Sample
220217-wnmcnacha2
-
MD5
9b4e1ae962380ff1fe65d2ec52ebe55f
-
SHA1
18cdb240ed6a012ad4631d32648356e8a1bcee4c
-
SHA256
012532729ad9c1e9495a65d1961a9f66cb7b5ae6c6aa18b919241e0029091d42
-
SHA512
00def0eb7932d0e0771106aa6fe0318c1c179f17982718837c30486952c65336d6bf9727e1eb21ad2ef45a847dee6620ede04f58afbc3ac65adb999585910208
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
C:\restore-files.txt
https://qtox.github.io/
Targets
-
-
Target
sample
-
Size
30KB
-
MD5
2222479d681f7a554976a9797f315fd2
-
SHA1
d535dfc613ab1081dcf0bb9dd92c0f533fa3a6b5
-
SHA256
af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74
-
SHA512
5dbf583e232d662cebbc191e7e9b2c73bfd04e0c455f599b88c5428354f777ea4cf47b8a06551b34519912861d05d78c4b2e2159a6e330749a943c7476925fc4
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-