General
-
Target
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
-
Size
685KB
-
Sample
221123-ln1j6sbh28
-
MD5
6dcb4ce3ae5aedc4876e9896073c77a5
-
SHA1
f9153a229d69934d1ec0320f10ef7029b5f38132
-
SHA256
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
-
SHA512
722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
SSDEEP
12288:C7jy0J9opbkjyhoHU7ye3Dbfrpfe9HMbIPvHSIVlvee15t+F1D036:C7bJowjyho07zTjtm9R3HTL5t4q6
Static task
static1
Behavioral task
behavioral1
Sample
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7158839.txt
http://zt6bycgnjvatzzvi.onion
Targets
-
-
Target
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
-
Size
685KB
-
MD5
6dcb4ce3ae5aedc4876e9896073c77a5
-
SHA1
f9153a229d69934d1ec0320f10ef7029b5f38132
-
SHA256
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
-
SHA512
722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
SSDEEP
12288:C7jy0J9opbkjyhoHU7ye3Dbfrpfe9HMbIPvHSIVlvee15t+F1D036:C7bJowjyho07zTjtm9R3HTL5t4q6
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-