General
-
Target
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
-
Size
637KB
-
Sample
221126-sr7afsdd82
-
MD5
7da542b3bb5315c122e615782f69ecbf
-
SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954
-
SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
-
SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
SSDEEP
12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf
Static task
static1
Behavioral task
behavioral1
Sample
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\yrnkowk.html
http-equiv='Content-Type
Extracted
C:\Users\Admin\Documents\Decrypt All Files plqrcsi.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\yrnkowk.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Targets
-
-
Target
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
-
Size
637KB
-
MD5
7da542b3bb5315c122e615782f69ecbf
-
SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954
-
SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
-
SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
SSDEEP
12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-