General
-
Target
HEUR-Trojan-Ransom.MSIL.Crypmodadv.gen-2b5c0eed6f0e364b39dba4263611b01e7c2399232fbf23a66ad17760d616314c.exe
-
Size
284KB
-
Sample
220921-enh7kaaefp
-
MD5
668983cf8223a398f4b8a1a4d7cddb7a
-
SHA1
8fa5d4312dd5f1964a3bd34d2c09842ec02f135c
-
SHA256
2b5c0eed6f0e364b39dba4263611b01e7c2399232fbf23a66ad17760d616314c
-
SHA512
5e0e868a6640d1bf836142f14c3d29d658996e38e3e380c670132c0c85cbf8f9c6dfa0d58d9a04b2606ab1d0cf8d2c26449f869003c03207591d09e0061d9646
-
SSDEEP
6144:ISoIcVpYGcAeYIiSOOrYJoLiWMWvGKab2btuMcjV:ILIaBoU4iFWvztuMcjV
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.MSIL.Crypmodadv.gen-2b5c0eed6f0e364b39dba4263611b01e7c2399232fbf23a66ad17760d616314c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.MSIL.Crypmodadv.gen-2b5c0eed6f0e364b39dba4263611b01e7c2399232fbf23a66ad17760d616314c.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Users\Public\Pictures\Sample Pictures\ARGUS-DECRYPT.html
argusdecrypt@cock.li
argusdecrypt@mailfence.com
http://argusqug6aw25gye.onion/
Extracted
C:\Users\Admin\Music\ARGUS-DECRYPT.html
argusdecrypt@cock.li
argusdecrypt@mailfence.com
http://argusqug6aw25gye.onion/
Targets
-
-
Target
HEUR-Trojan-Ransom.MSIL.Crypmodadv.gen-2b5c0eed6f0e364b39dba4263611b01e7c2399232fbf23a66ad17760d616314c.exe
-
Size
284KB
-
MD5
668983cf8223a398f4b8a1a4d7cddb7a
-
SHA1
8fa5d4312dd5f1964a3bd34d2c09842ec02f135c
-
SHA256
2b5c0eed6f0e364b39dba4263611b01e7c2399232fbf23a66ad17760d616314c
-
SHA512
5e0e868a6640d1bf836142f14c3d29d658996e38e3e380c670132c0c85cbf8f9c6dfa0d58d9a04b2606ab1d0cf8d2c26449f869003c03207591d09e0061d9646
-
SSDEEP
6144:ISoIcVpYGcAeYIiSOOrYJoLiWMWvGKab2btuMcjV:ILIaBoU4iFWvztuMcjV
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-