General
-
Target
114fd64e54c0a3a63327e443bb61e7f8ef3096de681177c834e38125092f5b6b
-
Size
683KB
-
Sample
221126-hklp3aab37
-
MD5
06ea9899946dd36a8a7d71aacd22c19b
-
SHA1
78a46f010cea448fcb0a304be18ea31668b906b1
-
SHA256
114fd64e54c0a3a63327e443bb61e7f8ef3096de681177c834e38125092f5b6b
-
SHA512
80b2ed3674346e9d469796e68b26597d02eea9f104e4f02e7e9a6e55246644c51a6fda36fb21881e70577a2dd41759c1c5e475933b55a5d2e48a721992bb3f22
-
SSDEEP
12288:+ATRdiC4HE2Q7gC+lYx0E5pZpER9+93Qy2nd9AMPkztyG4RSBExMhGCb5:rT7gk2zh3opZx4PkzIGHEGz5
Static task
static1
Behavioral task
behavioral1
Sample
114fd64e54c0a3a63327e443bb61e7f8ef3096de681177c834e38125092f5b6b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
114fd64e54c0a3a63327e443bb61e7f8ef3096de681177c834e38125092f5b6b.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files gsugzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\Decrypt All Files gsugzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Targets
-
-
Target
114fd64e54c0a3a63327e443bb61e7f8ef3096de681177c834e38125092f5b6b
-
Size
683KB
-
MD5
06ea9899946dd36a8a7d71aacd22c19b
-
SHA1
78a46f010cea448fcb0a304be18ea31668b906b1
-
SHA256
114fd64e54c0a3a63327e443bb61e7f8ef3096de681177c834e38125092f5b6b
-
SHA512
80b2ed3674346e9d469796e68b26597d02eea9f104e4f02e7e9a6e55246644c51a6fda36fb21881e70577a2dd41759c1c5e475933b55a5d2e48a721992bb3f22
-
SSDEEP
12288:+ATRdiC4HE2Q7gC+lYx0E5pZpER9+93Qy2nd9AMPkztyG4RSBExMhGCb5:rT7gk2zh3opZx4PkzIGHEGz5
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-