General
-
Target
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0
-
Size
1.4MB
-
Sample
220305-yxtt7shbe7
-
MD5
30389b7a45567e07146e2ad0d59734fa
-
SHA1
776ec66d4570ddb8ca3907fd77e4c02ae1e428ba
-
SHA256
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0
-
SHA512
a86d240fc8cf0201bdf63c1f7ebc4adbff4836061bc71c3ba1b044ae6c7a41c6d4b50f69b77bfb9162a046d1278d6db723fc15ccc3a57b0a1163b2de3a232e89
Behavioral task
behavioral1
Sample
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
C:\README1.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0
-
Size
1.4MB
-
MD5
30389b7a45567e07146e2ad0d59734fa
-
SHA1
776ec66d4570ddb8ca3907fd77e4c02ae1e428ba
-
SHA256
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0
-
SHA512
a86d240fc8cf0201bdf63c1f7ebc4adbff4836061bc71c3ba1b044ae6c7a41c6d4b50f69b77bfb9162a046d1278d6db723fc15ccc3a57b0a1163b2de3a232e89
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-