General
-
Target
3e3c6f05488fe69bf03ba727e4d70420a8386b8607e2b0108fc03c36bc730b45
-
Size
184KB
-
Sample
221128-g4ns4abh96
-
MD5
aa9ac393da242ac8b0dc85ee24d667b1
-
SHA1
f85621566b73d89b08c3b9d5710a0410c97e3996
-
SHA256
3e3c6f05488fe69bf03ba727e4d70420a8386b8607e2b0108fc03c36bc730b45
-
SHA512
dc450d72a8421fb7221dc47ba4f1778391a518e1d6486f59a961b82546cde368718694ceac883b0ce8e4a138e3523deed3d3e748cf1c863ca9f2448d8c7f3241
-
SSDEEP
3072:RRXtJcha6e+zjVD7e/8l9/8JNX5UukzbyBll48dBPEuDbvRCLn2O:XV6egHe0l9+FQ/yBw8dBDDb62O
Malware Config
Targets
-
-
Target
3e3c6f05488fe69bf03ba727e4d70420a8386b8607e2b0108fc03c36bc730b45
-
Size
184KB
-
MD5
aa9ac393da242ac8b0dc85ee24d667b1
-
SHA1
f85621566b73d89b08c3b9d5710a0410c97e3996
-
SHA256
3e3c6f05488fe69bf03ba727e4d70420a8386b8607e2b0108fc03c36bc730b45
-
SHA512
dc450d72a8421fb7221dc47ba4f1778391a518e1d6486f59a961b82546cde368718694ceac883b0ce8e4a138e3523deed3d3e748cf1c863ca9f2448d8c7f3241
-
SSDEEP
3072:RRXtJcha6e+zjVD7e/8l9/8JNX5UukzbyBll48dBPEuDbvRCLn2O:XV6egHe0l9+FQ/yBw8dBDDb62O
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-