General
-
Target
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
-
Size
1.0MB
-
Sample
221126-hkprqaab45
-
MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061
-
SHA1
741a668f93266819a91a8876c74126e97f3ed1cd
-
SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
-
SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
SSDEEP
24576:85PDHbsqZzwSRH3lPjCPH9MedZurmTR/zQu:81bsqZTH3lPjCFMa4mlzQu
Static task
static1
Behavioral task
behavioral1
Sample
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Extracted
C:\Users\Admin\Documents\Decrypt-All-Files-zyjgzxi.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion
Targets
-
-
Target
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
-
Size
1.0MB
-
MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061
-
SHA1
741a668f93266819a91a8876c74126e97f3ed1cd
-
SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
-
SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
SSDEEP
24576:85PDHbsqZzwSRH3lPjCPH9MedZurmTR/zQu:81bsqZTH3lPjCFMa4mlzQu
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-