General
-
Target
adb6f8d52932e656f3b129d4f31104426b39c1c6521e23a59108ee3f7990ba91.zip
-
Size
660KB
-
Sample
221011-jzeezadecq
-
MD5
d647220db85f6557e262ada99919e9f2
-
SHA1
5fceb3f1819a994b22f3f83084ea50e540d9f8e4
-
SHA256
adb6f8d52932e656f3b129d4f31104426b39c1c6521e23a59108ee3f7990ba91
-
SHA512
a0cd2e59dbfdf4bb184d148cada7f82e51b5508b9397e460b16b97afe764d789b374ba33d67d9cc730eb74e8db7466fc8af11f6f5fc6eb144f158ac8a07d75d5
-
SSDEEP
12288:hkr/10xl0PFS4jwbIsO/arlTT6zncVUJ7vndkrL:ar/10xl04EOIH/cTT6DNGrL
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
Targets
-
-
Target
478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
-
Size
660KB
-
MD5
affd7cfdd9720f8a044d5e9410923a78
-
SHA1
80ac3f86c3a31c4516f9077f8c5e990de2068032
-
SHA256
478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064
-
SHA512
5468ae683c5d5cf41ae8b961d40a02e827a226a2aa5845c74d20ef0f556145d737d3d8932b0dbae4ff69736c388a931f72a5f33a2775b1a9ac8717ce160b43de
-
SSDEEP
12288:1kr/10xl0PFS4jwbIsO/arlTT6zncVUJ7vndkrh:+r/10xl04EOIH/cTT6DNGrh
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-