General
-
Target
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
-
Size
1.1MB
-
Sample
221126-adsk2abf3w
-
MD5
f7bf40a04f42e1f14e54a18d3c61897f
-
SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435
-
SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
-
SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
-
SSDEEP
12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC
Static task
static1
Behavioral task
behavioral1
Sample
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7294856.txt
http://wypwtzc2kaceyufw.onion
Extracted
C:\Users\Admin\Documents\yrnkowk.html
http-equiv='Content-Type
Extracted
C:\Users\Admin\Documents\DecryptAllFiles 240628218.txt
http://wypwtzc2kaceyufw.onion
Targets
-
-
Target
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
-
Size
1.1MB
-
MD5
f7bf40a04f42e1f14e54a18d3c61897f
-
SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435
-
SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
-
SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
-
SSDEEP
12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC
Score10/10-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-