General
-
Target
HEUR-Backdoor.Win32.Agent.gen-1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf.exe
-
Size
6.2MB
-
Sample
220925-vdy32afdg3
-
MD5
942b003ffc9738426d16af08281d1791
-
SHA1
97f1e7c168261607f114a92ed0af31baf68b1599
-
SHA256
1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf
-
SHA512
19d4b0708f55b266be1282eff9f37e493d2567e4470092b1f0ae479574d7e46b2a558cc9c113db2a883595360c038121abbdd3a28b3b3794fc146b83395a8f27
-
SSDEEP
196608:3YIY1m/a6cNVOCX+1mHTJQvpTSpk3mYk9:vuBVOg0gTYDK
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Backdoor.Win32.Agent.gen-1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Backdoor.Win32.Agent.gen-1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Windows\Temp\@Please_Read_Me@.txt
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
C:\Windows\Temp\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
HEUR-Backdoor.Win32.Agent.gen-1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf.exe
-
Size
6.2MB
-
MD5
942b003ffc9738426d16af08281d1791
-
SHA1
97f1e7c168261607f114a92ed0af31baf68b1599
-
SHA256
1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf
-
SHA512
19d4b0708f55b266be1282eff9f37e493d2567e4470092b1f0ae479574d7e46b2a558cc9c113db2a883595360c038121abbdd3a28b3b3794fc146b83395a8f27
-
SSDEEP
196608:3YIY1m/a6cNVOCX+1mHTJQvpTSpk3mYk9:vuBVOg0gTYDK
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-