Extracted

• • Target

    1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2

  • Size

    164KB

  • MD5

    5f2d13576e4906501c91b8bf400e0890

  • SHA1

    adff2761a6afe9ecaa70486c0a04746c676a133b

  • SHA256

    1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2

  • SHA512

    29186d7c1702ab738844777a780ce982882727d8fb3ae6e1fd084bffef3ac63fcd7ca4624ee9bf047c909c303deece27f81650b1309280d6609d207e29131dfd

  Score

  10^/10

  hydracryptpersistenceransomwarespywarestealer

  • HydraCrypt

    Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

    ransomwarehydracrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2