General
-
Target
Request for Quotation (RFQ_196).zip.vir
-
Size
3.3MB
-
Sample
220619-pxw5wshad9
-
MD5
d69dc6569b385c0467185d002e252d89
-
SHA1
25938a66cce0078c76a15f351cbd19c8fcc2b081
-
SHA256
80239619c4ca44380c6269873a5b6b695585ccfcf278e0f2c72698658a3a6fd8
-
SHA512
54ebf42bcfd6ae5990309cfebe6b2952de40e64988cdcd3e71db596a69b9cd782b32240c2009d9241ffcd8c7e0476bc36bad40d2443e128afdad3bbb8e55e895
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Targets
-
-
Target
Proforma Invoice and Bank swift-REG.PI-0086547654.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-