Extracted

• • Target

    e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162

  • Size

    156KB

  • MD5

    ca2326886fa699068c44f32b3e51adaf

  • SHA1

    3555aaebe6c113fb8f923a38cb3bd75da6e86277

  • SHA256

    e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162

  • SHA512

    d7da00f22fede4909c29d5c6125f2b5749453cefa65c262133d50cf7235fc9d3b134e5b2d5740f08e8db3fc70c21de8bed42deb84a5ca31108a7968026b7ed9e

  Score

  10^/10

  ransomexx_winevasionransomware

  • Deletes NTFS Change Journal

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware

  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win

  • Clears Windows event logs

    evasionransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables use of System Restore points

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Overwrites deleted data with Cipher tool

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2