General
-
Target
windows_x64_encrypt.dll
-
Size
601KB
-
Sample
220824-ch46qsfhd7
-
MD5
5a22a872d458c1dcb66cc2506d57afb7
-
SHA1
5dbdd31a29f702b317d7907a69a42e7d21a5b32e
-
SHA256
940f22327b5693b1246187f49e87e0ebbd01454033029c7aa6eab15a0ae85fa9
-
SHA512
6ffe0696aff39449e110811c2f862f835cbd51e46942b9a9cef987e4d24ac9d9efdc9a32102d76df433b423004c8d194e6d23e5369f109449917b0b55ade9845
-
SSDEEP
12288:O4jAC6F/0doKJcT/L/DcQVV03YKHLbdOrqoeOQB8eA2wmuKE6bxmdemEll6/vTF+:O4jF05/XPnEbynuLEhAoFci4HksWld9E
Static task
static1
Behavioral task
behavioral1
Sample
windows_x64_encrypt.dll
Resource
win10-20220812-en
Malware Config
Extracted
C:\HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Extracted
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Targets
-
-
Target
windows_x64_encrypt.dll
-
Size
601KB
-
MD5
5a22a872d458c1dcb66cc2506d57afb7
-
SHA1
5dbdd31a29f702b317d7907a69a42e7d21a5b32e
-
SHA256
940f22327b5693b1246187f49e87e0ebbd01454033029c7aa6eab15a0ae85fa9
-
SHA512
6ffe0696aff39449e110811c2f862f835cbd51e46942b9a9cef987e4d24ac9d9efdc9a32102d76df433b423004c8d194e6d23e5369f109449917b0b55ade9845
-
SSDEEP
12288:O4jAC6F/0doKJcT/L/DcQVV03YKHLbdOrqoeOQB8eA2wmuKE6bxmdemEll6/vTF+:O4jF05/XPnEbynuLEhAoFci4HksWld9E
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-