General
-
Target
e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d
-
Size
7.4MB
-
Sample
220419-dhv4haghek
-
MD5
1cf5dd5e5b0074edcba997bb52ca95ca
-
SHA1
aa64c566f081986367b805ce3093f188b7fa9af8
-
SHA256
e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d
-
SHA512
7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134
Malware Config
Targets
-
-
Target
e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d
-
Size
7.4MB
-
MD5
1cf5dd5e5b0074edcba997bb52ca95ca
-
SHA1
aa64c566f081986367b805ce3093f188b7fa9af8
-
SHA256
e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d
-
SHA512
7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Zhen Ransomware
First seen in September 2020. Drops ransomnote as .ini file.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-