General
-
Target
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
-
Size
181KB
-
Sample
221127-3wcazshb25
-
MD5
388c279f454dc300cd9c809c6a933f86
-
SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77
-
SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
-
SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
SSDEEP
3072:sfKigMo5+zbn0vSXWS1qh2BNqF728MDEbpmPu4:zv5+f0amkBa72ND04
Static task
static1
Behavioral task
behavioral1
Sample
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-pipalmn.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\nydzthc.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-wxsqcsi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Targets
-
-
Target
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
-
Size
181KB
-
MD5
388c279f454dc300cd9c809c6a933f86
-
SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77
-
SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
-
SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
SSDEEP
3072:sfKigMo5+zbn0vSXWS1qh2BNqF728MDEbpmPu4:zv5+f0amkBa72ND04
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-