b3c495a36fea5be7069701fc373d83739aa721b87aac18c3abc390d836500047

General

Target

d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00.bin.sample.gz
Size

100KB
Sample

220529-wwbacscgfj
MD5

7765ca8b2c818958f426dddc593df790
SHA1

99788b810dc16354575a9bf5d221bea9d3ee73eb
SHA256

b3c495a36fea5be7069701fc373d83739aa721b87aac18c3abc390d836500047
SHA512

12e729cea15ff799c61f8763c91eab952e52f036de8a6836a40bd6963a8f979de34c10ebaca94924f731fe2f5c551d7a1bb33d80c462c7bf9d3339697f4ac8b3

Score

10^/10

Malware Config

Targets

- Target
  
  sample
- Size
  
  1.8MB
- MD5
  
  f477c3bd9d9599a59affb41a8807f8ae
- SHA1
  
  1fee4f5bda8b765acbb741aeebfe74ea9b0f0f4e
- SHA256
  
  d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00
- SHA512
  
  75060be4bbd7fee8ce455e533a6fb8d7b48e64daf90266e6d346f51545e2922c78497e6eb8937de2102e2fff98c9645eb78c7785dc145d9d3d838ac94f417257
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies system executable filetype association
  persistence
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2