Overview

overview

10

Static

static

4cae449450...58.exe

windows7-x64

10

4cae449450...58.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.zip

  • Size

    68KB

  • Sample

    221121-nyt69aha59

  • MD5

    94957c70b48dc35a9844b136fbcd0e99

  • SHA1

    c8db36e64be882707b3e1e11bbd23de861c68382

  • SHA256

    926da8f5eafdb6a22a2ffd01fe737a589f001f2da87a244f4fa9fd2626348898

  • SHA512

    26677194c1e4f4c6a7334db549da7f04dae205869281e8f33ce061d66732947ed3a90abb7e0ce2ea9d28ff62e04c411200911112f443852ef432d7bd623c7f3b

  • SSDEEP

    768:vLrMLBUy8uEOJocNciyt2gK1OdDDaECZbW8O/BVpTzs/rpO0g4WJaV8EitGe65FG:eBUqyioJu4DcZCVszok8ESWcjwccC7

Score
10/10
ransomexx_winevasionransomware

Malware Config

Targets

    • Target

      4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe

    • Size

      156KB

    • MD5

      fcd21c6fca3b9378961aa1865bee7ecb

    • SHA1

      0abaa05da2a05977e0baf68838cff1712f1789e0

    • SHA256

      4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

    • SHA512

      e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

    • SSDEEP

      1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4

    Score
    10/10
    ransomexx_winevasionransomware

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • RansomEXX Ransomware

      Targeted ransomware with variants which affect Windows and Linux systems.

      ransomwareransomexx_win

    • Clears Windows event logs

      evasionransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables use of System Restore points

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Overwrites deleted data with Cipher tool

      Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks