General
-
Target
7ea4ed64bd51eb40865c5ede7da7cf980a464db8087d95fec5a83885352c88b2
-
Size
82KB
-
Sample
220607-w41j8acdel
-
MD5
d1b3c544cb322538e43938174b05eee2
-
SHA1
3f8ca284369b714e80838d2d77c2014d1fbe9442
-
SHA256
7ea4ed64bd51eb40865c5ede7da7cf980a464db8087d95fec5a83885352c88b2
-
SHA512
49f28ce81ba7736eca1a881df9a69fac82022b620cc87d56f2597fc8ec6ca7f53485d70d6ccd612b1a1c16c0d3e5cf958ba317101d95091cb347348cdcf32c2a
Malware Config
Targets
-
-
Target
7ea4ed64bd51eb40865c5ede7da7cf980a464db8087d95fec5a83885352c88b2
-
Size
82KB
-
MD5
d1b3c544cb322538e43938174b05eee2
-
SHA1
3f8ca284369b714e80838d2d77c2014d1fbe9442
-
SHA256
7ea4ed64bd51eb40865c5ede7da7cf980a464db8087d95fec5a83885352c88b2
-
SHA512
49f28ce81ba7736eca1a881df9a69fac82022b620cc87d56f2597fc8ec6ca7f53485d70d6ccd612b1a1c16c0d3e5cf958ba317101d95091cb347348cdcf32c2a
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Windows security modification
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-