General
-
Target
3503e7a4ad2fa20c9d927096b496a145707cca1723e707d3ea477817caa4d03b
-
Size
687KB
-
Sample
221125-z172nsac5w
-
MD5
803f9c1091e5ca6dc3e9aa90172e0bf4
-
SHA1
85bb3d47a1abe3f3694533d72db91b55e15f8715
-
SHA256
3503e7a4ad2fa20c9d927096b496a145707cca1723e707d3ea477817caa4d03b
-
SHA512
37e92fc7fd60e18dd687b31f578484b2b983bc0111e54910d86bc03a5de0328c3afafe103568fa5f39ad7bcc1dcf5dbe2ba133536bb47ae2cc8f67cf473d16b0
-
SSDEEP
12288:TBEFh3LEXERqMLx+dyUjxOL+QiUv1WPB5mq6CHHqT1Ln0jGBXJ:GFh3oQqGnAxOL+QxjtUHO0jQZ
Static task
static1
Behavioral task
behavioral1
Sample
3503e7a4ad2fa20c9d927096b496a145707cca1723e707d3ea477817caa4d03b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3503e7a4ad2fa20c9d927096b496a145707cca1723e707d3ea477817caa4d03b.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files miliicl.txt
http://ohmva4gbywokzqso.onion.cab
http://ohmva4gbywokzqso.tor2web.org
http://ohmva4gbywokzqso.onion/
Extracted
C:\Users\Admin\Documents\Decrypt All Files ockdtmb.txt
http://ohmva4gbywokzqso.onion.cab
http://ohmva4gbywokzqso.tor2web.org
http://ohmva4gbywokzqso.onion/
Extracted
C:\ProgramData\borcfwe.html
http://ohmva4gbywokzqso.onion.cab
http://ohmva4gbywokzqso.tor2web.org
http://ohmva4gbywokzqso.onion
Targets
-
-
Target
3503e7a4ad2fa20c9d927096b496a145707cca1723e707d3ea477817caa4d03b
-
Size
687KB
-
MD5
803f9c1091e5ca6dc3e9aa90172e0bf4
-
SHA1
85bb3d47a1abe3f3694533d72db91b55e15f8715
-
SHA256
3503e7a4ad2fa20c9d927096b496a145707cca1723e707d3ea477817caa4d03b
-
SHA512
37e92fc7fd60e18dd687b31f578484b2b983bc0111e54910d86bc03a5de0328c3afafe103568fa5f39ad7bcc1dcf5dbe2ba133536bb47ae2cc8f67cf473d16b0
-
SSDEEP
12288:TBEFh3LEXERqMLx+dyUjxOL+QiUv1WPB5mq6CHHqT1Ln0jGBXJ:GFh3oQqGnAxOL+QxjtUHO0jQZ
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-