General
-
Target
4adfd96b183f0f27e4d8e118c1795e2ee5906ecc21cd3479412ba12e237a8419
-
Size
3KB
-
Sample
220520-g81y8aebb2
-
MD5
fed9377bc16917bb90322e51bb3b0a49
-
SHA1
7d2884d2c9214883444c7b8f2b4e30a7eea6908e
-
SHA256
4adfd96b183f0f27e4d8e118c1795e2ee5906ecc21cd3479412ba12e237a8419
-
SHA512
4f3b02987ea8a5abceb2a1148ac09323c7f8a02fad3aa9c3cadaebbdedbaa915dd9f719b76b10fd7e28b926630a505e801ef4d629338519cf7340d994a6b6879
Static task
static1
Behavioral task
behavioral1
Sample
????????????? ???? ???????? ????????.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
????????????? ???? ???????? ????????.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
????????????? ???? ???????? ????????.js
-
Size
6KB
-
MD5
edcdf2b9352f9d0b36d11a88a8f1918a
-
SHA1
6748073762bbedf97efbe3c6eac7fd7686961809
-
SHA256
3500d195bfc0f2154673fed3a2fc3a9ed79483a9420e27f0202ea27cc3d5dda3
-
SHA512
1637f3b6d77e44ec1e2e0b22d6323b005f4bdcc0e5b73e5aa2fc0f3e023888b84946765c18296d16b9c65ad5d3d96dd0d1cf91f4a41ebf5068f1e9bb72073230
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-