General
-
Target
803685bdfaac4bc57c3446181daa4d4bc73577f84df0ae2d6d9a1fcc4280f230
-
Size
1.2MB
-
Sample
220520-3fgwjabgbn
-
MD5
53b597d0f54362a1110b1785beeebadf
-
SHA1
74804f2afa946f1409385d5ac36830517039f9be
-
SHA256
803685bdfaac4bc57c3446181daa4d4bc73577f84df0ae2d6d9a1fcc4280f230
-
SHA512
8545cfbc1c084f6bbe5b8db61d9e7fe4bc7bdebabfdb56aab86667f52cacf486cb34699bbbcfd88e0f6fe97abb724e1cae0d673dfa525642f1f20b2b820bc243
Static task
static1
Behavioral task
behavioral1
Sample
803685bdfaac4bc57c3446181daa4d4bc73577f84df0ae2d6d9a1fcc4280f230.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
803685bdfaac4bc57c3446181daa4d4bc73577f84df0ae2d6d9a1fcc4280f230.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
803685bdfaac4bc57c3446181daa4d4bc73577f84df0ae2d6d9a1fcc4280f230
-
Size
1.2MB
-
MD5
53b597d0f54362a1110b1785beeebadf
-
SHA1
74804f2afa946f1409385d5ac36830517039f9be
-
SHA256
803685bdfaac4bc57c3446181daa4d4bc73577f84df0ae2d6d9a1fcc4280f230
-
SHA512
8545cfbc1c084f6bbe5b8db61d9e7fe4bc7bdebabfdb56aab86667f52cacf486cb34699bbbcfd88e0f6fe97abb724e1cae0d673dfa525642f1f20b2b820bc243
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-